-
Notifications
You must be signed in to change notification settings - Fork 374
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3237 from splunk/aws_asl_detections
Improved ASL AWS detections
- Loading branch information
Showing
29 changed files
with
1,054 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: ASL AWS CloudTrail | ||
id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898 | ||
version: 1 | ||
date: '2025-01-14' | ||
author: Patrick Bareiss, Splunk | ||
description: Data source object for ASL AWS CloudTrail | ||
source: aws_asl | ||
sourcetype: aws:asl | ||
separator: api.operation | ||
supported_TA: | ||
- name: Splunk Add-on for AWS | ||
url: https://splunkbase.splunk.com/app/1876 | ||
version: 7.9.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
name: ASL AWS Create Access Key | ||
id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 | ||
version: 1 | ||
date: '2024-12-12' | ||
author: Patrick Bareiss, Splunk | ||
status: production | ||
type: Hunting | ||
description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. | ||
data_source: | ||
- ASL AWS CloudTrail | ||
search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' | ||
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. | ||
known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. | ||
references: | ||
- https://bishopfox.com/blog/privilege-escalation-in-aws | ||
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ | ||
tags: | ||
analytic_story: | ||
- AWS IAM Privilege Escalation | ||
asset_type: AWS Account | ||
confidence: 90 | ||
impact: 70 | ||
message: User $user$ is attempting to create access keys | ||
mitre_attack_id: | ||
- T1136.003 | ||
- T1136 | ||
observable: | ||
- name: src_ip | ||
type: IP Address | ||
role: | ||
- Attacker | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- api.operation | ||
- actor.user.uid | ||
- actor.user.account.uid | ||
- http_request.user_agent | ||
- src_endpoint.ip | ||
- src_endpoint.domain | ||
- cloud.region | ||
risk_score: 63 | ||
security_domain: network | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json | ||
sourcetype: aws:asl | ||
source: aws_asl |
61 changes: 61 additions & 0 deletions
61
detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
name: ASL AWS Create Policy Version to allow all resources | ||
id: 22cc7a62-3884-48c4-82da-592b8199b72f | ||
version: 1 | ||
date: '2024-12-12' | ||
author: Patrick Bareiss, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. | ||
data_source: | ||
- ASL AWS CloudTrail | ||
search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' | ||
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. | ||
known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. | ||
references: | ||
- https://bishopfox.com/blog/privilege-escalation-in-aws | ||
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ | ||
drilldown_searches: | ||
- name: View the detection results for - "$user$" | ||
search: '%original_detection_search% | search user = "$user$"' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
- name: View risk events for the last 7 days for - "$user$" | ||
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
tags: | ||
analytic_story: | ||
- AWS IAM Privilege Escalation | ||
asset_type: AWS Account | ||
confidence: 70 | ||
impact: 70 | ||
message: User $user$ created a policy version that allows them to access any resource in their account. | ||
mitre_attack_id: | ||
- T1078.004 | ||
- T1078 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- api.operation | ||
- actor.user.account.uid | ||
- api.request.data | ||
- actor.user.uid | ||
- http_request.user_agent | ||
- src_endpoint.ip | ||
- src_endpoint.domain | ||
- cloud.region | ||
risk_score: 49 | ||
security_domain: network | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json | ||
sourcetype: aws:asl | ||
source: aws_asl |
66 changes: 66 additions & 0 deletions
66
detections/cloud/asl_aws_credential_access_getpassworddata.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
name: ASL AWS Credential Access GetPasswordData | ||
id: a79b607a-50cc-4704-bb9d-eff280cb78c2 | ||
version: 1 | ||
date: '2024-12-12' | ||
author: Patrick Bareiss, Splunk | ||
status: production | ||
type: Anomaly | ||
description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. | ||
data_source: | ||
- ASL AWS CloudTrail | ||
search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' | ||
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. | ||
known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. | ||
references: | ||
- https://attack.mitre.org/techniques/T1552/ | ||
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ | ||
drilldown_searches: | ||
- name: View the detection results for - "$user$" | ||
search: '%original_detection_search% | search user_arn = "$user$"' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
- name: View risk events for the last 7 days for - "$user$" | ||
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
tags: | ||
analytic_story: | ||
- AWS Identity and Access Management Account Takeover | ||
asset_type: AWS Account | ||
confidence: 70 | ||
impact: 70 | ||
message: User $user$ is seen to make `GetPasswordData` API calls | ||
mitre_attack_id: | ||
- T1586 | ||
- T1586.003 | ||
- T1110 | ||
- T1110.001 | ||
observable: | ||
- name: src_ip | ||
type: IP Address | ||
role: | ||
- Attacker | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- api.operation | ||
- actor.user.uid | ||
- actor.user.account.uid | ||
- http_request.user_agent | ||
- src_endpoint.ip | ||
- src_endpoint.domain | ||
- cloud.region | ||
risk_score: 49 | ||
security_domain: threat | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json | ||
sourcetype: aws:asl | ||
source: aws_asl |
65 changes: 65 additions & 0 deletions
65
detections/cloud/asl_aws_credential_access_rds_password_reset.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
name: ASL AWS Credential Access RDS Password reset | ||
id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 | ||
version: 1 | ||
date: '2024-12-12' | ||
author: Patrick Bareiss, Splunk | ||
status: production | ||
type: TTP | ||
description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. | ||
data_source: | ||
- ASL AWS CloudTrail | ||
search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' | ||
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. | ||
known_false_positives: Users may genuinely reset the RDS password. | ||
references: | ||
- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds | ||
drilldown_searches: | ||
- name: View the detection results for - "$user$" | ||
search: '%original_detection_search% | search database_id = "$user$"' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
- name: View risk events for the last 7 days for - "$user$" | ||
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
earliest_offset: $info_min_time$ | ||
latest_offset: $info_max_time$ | ||
tags: | ||
analytic_story: | ||
- AWS Identity and Access Management Account Takeover | ||
asset_type: AWS Account | ||
confidence: 70 | ||
impact: 70 | ||
message: User $user$ is seen to reset the password for database | ||
mitre_attack_id: | ||
- T1586 | ||
- T1586.003 | ||
- T1110 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: src_ip | ||
type: IP Address | ||
role: | ||
- Attacker | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- api.operation | ||
- api.request.data | ||
- actor.user.uid | ||
- actor.user.account.uid | ||
- http_request.user_agent | ||
- src_endpoint.ip | ||
- src_endpoint.domain | ||
- cloud.region | ||
risk_score: 49 | ||
security_domain: threat | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json | ||
sourcetype: aws:asl | ||
source: aws_asl |
Oops, something went wrong.