diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml new file mode 100644 index 0000000000..743e34d3eb --- /dev/null +++ b/data_sources/asl_aws_cloudtrail.yml @@ -0,0 +1,13 @@ +name: ASL AWS CloudTrail +id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898 +version: 1 +date: '2025-01-14' +author: Patrick Bareiss, Splunk +description: Data source object for ASL AWS CloudTrail +source: aws_asl +sourcetype: aws:asl +separator: api.operation +supported_TA: +- name: Splunk Add-on for AWS + url: https://splunkbase.splunk.com/app/1876 + version: 7.9.0 diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index b73048a0b5..2e1b0f688f 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,13 +1,14 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 5 +version: 6 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation. -data_source: [] -search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | rename identity.user.name as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. references: @@ -42,19 +43,17 @@ tags: type: User role: - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain - cloud.region + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 42 security_domain: threat manual_test: Can't be tested automatically because of time span. @@ -62,5 +61,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml new file mode 100644 index 0000000000..25df72cac5 --- /dev/null +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -0,0 +1,55 @@ +name: ASL AWS Create Access Key +id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: Hunting +description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 90 + impact: 70 + message: User $user$ is attempting to create access keys + mitre_attack_id: + - T1136.003 + - T1136 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 63 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml new file mode 100644 index 0000000000..e26aea3882 --- /dev/null +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -0,0 +1,61 @@ +name: ASL AWS Create Policy Version to allow all resources +id: 22cc7a62-3884-48c4-82da-592b8199b72f +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ created a policy version that allows them to access any resource in their account. + mitre_attack_id: + - T1078.004 + - T1078 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.account.uid + - api.request.data + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml new file mode 100644 index 0000000000..e748f22103 --- /dev/null +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -0,0 +1,66 @@ +name: ASL AWS Credential Access GetPasswordData +id: a79b607a-50cc-4704-bb9d-eff280cb78c2 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. +references: +- https://attack.mitre.org/techniques/T1552/ +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user_arn = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ is seen to make `GetPasswordData` API calls + mitre_attack_id: + - T1586 + - T1586.003 + - T1110 + - T1110.001 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml new file mode 100644 index 0000000000..732863d4fb --- /dev/null +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -0,0 +1,65 @@ +name: ASL AWS Credential Access RDS Password reset +id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Users may genuinely reset the RDS password. +references: +- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search database_id = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ is seen to reset the password for database + mitre_attack_id: + - T1586 + - T1586.003 + - T1110 + observable: + - name: user + type: User + role: + - Victim + - name: src_ip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 51ebc415fb..1a7c2f1613 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,13 +1,14 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 5 +version: 6 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. -data_source: [] -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: @@ -27,7 +28,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 100 - message: User $user$ has deleted a CloudTrail logging for account id $aws_account_id$ + message: User $user$ has deleted a CloudTrail mitre_attack_id: - T1562.008 - T1562 @@ -40,23 +41,23 @@ tags: type: User role: - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 90 security_domain: threat tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 0f8e4198ed..c7200975b5 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,13 +1,14 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. -data_source: [] -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: @@ -27,7 +28,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 100 - message: User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$ + message: User $user$ has deleted a CloudWatch mitre_attack_id: - T1562 - T1562.008 @@ -46,11 +47,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 90 security_domain: threat @@ -59,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json source: aws_asl - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 9188eab76a..ae41522216 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,13 +1,14 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 4 +version: 5 date: '2024-10-17' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. -data_source: [] -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: @@ -39,11 +40,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 42 security_domain: threat @@ -51,5 +52,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml new file mode 100644 index 0000000000..3190e8f264 --- /dev/null +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -0,0 +1,57 @@ +name: ASL AWS Defense Evasion PutBucketLifecycle +id: 986565a2-7707-48ea-9590-37929cebc938 +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: Hunting +description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. +references: +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ +tags: + analytic_story: + - AWS Defense Evasion + asset_type: AWS Account + confidence: 40 + impact: 50 + message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days + mitre_attack_id: + - T1562.008 + - T1562 + - T1485.001 + - T1485 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 20 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 06d6855331..42e436bcaf 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,13 +1,14 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -data_source: [] -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: @@ -46,11 +47,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 90 security_domain: threat @@ -58,5 +59,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 5e700e7519..83b5fd9408 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,13 +1,14 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -data_source: [] -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: @@ -46,11 +47,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 90 security_domain: threat @@ -58,5 +59,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml new file mode 100644 index 0000000000..9098fe9358 --- /dev/null +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -0,0 +1,74 @@ +name: ASL AWS Detect Users creating keys with encrypt policy without MFA +id: 16ae9076-d1d5-411c-8fdd-457504b33dac +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey + | spath input=api.request.data path=policy output=policy + | spath input=policy + | rename Statement{}.Action as Action, Statement{}.Principal as Principal + | eval Statement=mvzip(Action,Principal,"|") + | mvexpand Statement + | eval action=mvindex(split(Statement, "|"), 0) + | eval principal=mvindex(split(Statement, "|"), 1) + | search action=kms* + | regex principal="\*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' +how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: unknown +references: +- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +- https://github.com/d1vious/git-wild-hunt +- https://www.youtube.com/watch?v=PgzNib37g0M +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Ransomware Cloud + asset_type: AWS Account + confidence: 50 + impact: 50 + message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts. + mitre_attack_id: + - T1486 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml new file mode 100644 index 0000000000..bc2f2f2887 --- /dev/null +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -0,0 +1,72 @@ +name: ASL AWS Disable Bucket Versioning +id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +data_source: +- ASL AWS CloudTrail +description: The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. +search: '`amazon_security_lake` api.operation=PutBucketVersioning + | spath input=api.request.data path=VersioningConfiguration.Status output=Status + | spath input=api.request.data path=bucketName output=bucketName + | search Status=Suspended + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. +references: +- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 +- https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious AWS S3 Activities + - Data Exfiltration + asset_type: AWS Account + confidence: 80 + impact: 80 + message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ + mitre_attack_id: + - T1490 + observable: + - name: user + type: User + role: + - Victim + - name: src_ip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 64 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml new file mode 100644 index 0000000000..8fc0cf56fa --- /dev/null +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -0,0 +1,72 @@ +name: ASL AWS EC2 Snapshot Shared Externally +id: 00af8f7f-e004-446b-9bba-2732f717ae27 +version: 1 +date: '2024-12-17' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute + | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group + | search group=all + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. +references: +- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ +- https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious Cloud Instance Activities + - Data Exfiltration + asset_type: EC2 Snapshot + confidence: 80 + impact: 60 + message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ + mitre_attack_id: + - T1537 + observable: + - name: user + type: User + role: + - Victim + - name: src_ip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 48 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 664e40bfbb..2894275771 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,13 +1,14 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. -data_source: [] -search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. references: @@ -36,23 +37,24 @@ tags: type: User role: - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 49 security_domain: network + manual_test: Can't be tested automatically because of outside of business hours time tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index b3506df343..8ce8bd56dd 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,13 +1,14 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. -data_source: [] -search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: @@ -40,23 +41,23 @@ tags: type: User role: - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 49 security_domain: network tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml new file mode 100644 index 0000000000..59de0fd09c --- /dev/null +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -0,0 +1,65 @@ +name: ASL AWS IAM AccessDenied Discovery Events +id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 +version: 1 +date: '2025-01-08' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser + | bucket _time span=1h + | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_accessdenied_discovery_events_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. +references: +- https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious Cloud User Activities + asset_type: AWS Account + confidence: 50 + impact: 20 + message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. + mitre_attack_id: + - T1580 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - src_endpoint.ip + - cloud.region + risk_score: 10 + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml new file mode 100644 index 0000000000..b93bc70162 --- /dev/null +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -0,0 +1,68 @@ +name: ASL AWS IAM Assume Role Policy Brute Force +id: 726959fe-316d-445c-a584-fa187d64e295 +version: 1 +date: '2025-01-08' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied + | bucket _time span=1h + | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | where failures >= 3 + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. +references: +- https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ +- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ +- https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 70 + impact: 40 + message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. + mitre_attack_id: + - T1580 + - T1110 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - api.operation + - actor.user.uid + - src_endpoint.ip + - cloud.region + risk_score: 28 + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index f130dda68e..42fdd2bb27 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,13 +1,14 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 4 +version: 5 date: '2024-10-17' author: Patrick Bareiss, Splunk status: production type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. -data_source: [] -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: @@ -37,11 +38,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 10 security_domain: access @@ -49,5 +50,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 1476e1877d..9baebc2f81 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,13 +1,14 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 5 +version: 6 date: '2024-10-22' author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. -data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -46,11 +47,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 5 security_domain: access @@ -58,5 +59,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 99c5289b53..1479756ad8 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,13 +1,14 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 4 +version: 5 date: '2024-10-22' author: Patrick Bareiss, Splunk status: production type: Hunting description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. -data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -39,11 +40,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 5 security_domain: access @@ -51,5 +52,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index df252c921e..b8803bcf64 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,13 +1,14 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise. -data_source: [] -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: @@ -28,7 +29,7 @@ tags: asset_type: AWS Account confidence: 80 impact: 80 - message: User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ + message: User $user$ has disabled Multi-Factor authentication mitre_attack_id: - T1586 - T1586.003 @@ -50,11 +51,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 64 security_domain: threat @@ -62,5 +63,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml new file mode 100644 index 0000000000..5b1bdcfe81 --- /dev/null +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -0,0 +1,72 @@ +name: ASL AWS Network Access Control List Created with All Open Ports +id: a2625034-c2de-44fc-b45c-7bac9c4a7974 +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success + | spath input=api.request.data path=ruleAction output=ruleAction + | spath input=api.request.data path=egress output=egress + | spath input=api.request.data path=aclProtocol output=aclProtocol + | spath input=api.request.data path=cidrBlock output=cidrBlock + | spath input=api.request.data path=networkAclId output=networkAclId + | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Network ACL Activity + asset_type: AWS Instance + confidence: 80 + impact: 60 + message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ + mitre_attack_id: + - T1562.007 + - T1562 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 48 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml new file mode 100644 index 0000000000..0995a94097 --- /dev/null +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -0,0 +1,69 @@ +name: ASL AWS Network Access Control List Deleted +id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success + | spath input=api.request.data path=egress output=egress + | spath input=api.request.data path=networkAclId output=networkAclId + | search egress=false + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that a user has legitimately deleted a network ACL. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user_arn = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Network ACL Activity + asset_type: AWS Instance + confidence: 50 + impact: 10 + message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. + mitre_attack_id: + - T1562.007 + - T1562 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 5 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 989b32fff1..2235799ae9 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,13 +1,14 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 5 +version: 6 date: '2024-10-17' author: Patrick Bareiss, Splunk status: experimental type: TTP description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. -data_source: [] -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: @@ -40,11 +41,11 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 64 security_domain: identity @@ -52,5 +53,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml new file mode 100644 index 0000000000..bc0a9502cd --- /dev/null +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -0,0 +1,68 @@ +name: ASL AWS SAML Update identity provider +id: 635c26cc-0fd1-4098-8ec9-824bf9544b11 +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=UpdateSAMLProvider + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. +references: +- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a +- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html +- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Cloud Federated Credential Abuse + asset_type: AWS Federated Account + confidence: 80 + impact: 80 + message: User $user$ from IP address $src_ip$ updated the SAML provider + mitre_attack_id: + - T1078 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 64 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml new file mode 100644 index 0000000000..edd8676be2 --- /dev/null +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -0,0 +1,67 @@ +name: ASL AWS UpdateLoginProfile +id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. +data_source: +- ASL AWS CloudTrail +search: '`amazon_security_lake` api.operation=UpdateLoginProfile + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 60 + impact: 50 + message: User $user$ from IP address $src_ip$ updated the login profile of another user + mitre_attack_id: + - T1136.003 + - T1136 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 30 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/macros/amazon_security_lake.yml b/macros/amazon_security_lake.yml index 9b27aad2aa..e696749be0 100644 --- a/macros/amazon_security_lake.yml +++ b/macros/amazon_security_lake.yml @@ -1,4 +1,4 @@ -definition: sourcetype=aws:cloudtrail:lake +definition: sourcetype=aws:asl description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: amazon_security_lake