From 649d084240acbc227a32bcfed3ecb5696ec4ff61 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 10:17:35 +0100 Subject: [PATCH 01/27] Improved ASL AWS detections --- ...asl_aws_concurrent_sessions_from_different_ips.yml | 11 +---------- .../asl_aws_defense_evasion_delete_cloudtrail.yml | 10 +--------- ...ws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- ...l_aws_defense_evasion_impair_security_services.yml | 10 +--------- ...sl_aws_defense_evasion_stop_logging_cloudtrail.yml | 10 +--------- .../asl_aws_defense_evasion_update_cloudtrail.yml | 10 +--------- ...ws_ecr_container_upload_outside_business_hours.yml | 11 ++--------- .../asl_aws_ecr_container_upload_unknown_user.yml | 2 +- detections/cloud/asl_aws_iam_delete_policy.yml | 10 +--------- .../cloud/asl_aws_iam_failure_group_deletion.yml | 10 +--------- .../cloud/asl_aws_iam_successful_group_deletion.yml | 2 +- .../asl_aws_multi_factor_authentication_disabled.yml | 10 +--------- .../asl_aws_new_mfa_method_registered_for_user.yml | 10 +--------- 13 files changed, 14 insertions(+), 94 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index b73048a0b5..bc8bfe0f32 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation. data_source: [] -search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | rename identity.user.name as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' +search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. references: @@ -46,15 +46,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - src_endpoint.domain - - cloud.region risk_score: 42 security_domain: threat manual_test: Can't be tested automatically because of time span. diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 51ebc415fb..3980d22a4d 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: @@ -44,14 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 90 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 0f8e4198ed..48d49d9d9d 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 9188eab76a..0be79723a3 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: @@ -37,14 +37,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 42 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 06d6855331..2917688f14 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. data_source: [] -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: @@ -44,14 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 90 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 5e700e7519..5aa48bad0d 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. data_source: [] -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: @@ -44,14 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 90 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 664e40bfbb..ce59be4204 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. data_source: [] -search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region | rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' +search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. references: @@ -40,16 +40,9 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 49 security_domain: network + manual_test: Can't be tested automatically because of outside of business hours time tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index b3506df343..8419672b04 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. data_source: [] -search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' +search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index f130dda68e..812776680e 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. data_source: [] -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: @@ -35,14 +35,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 10 security_domain: access tests: diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 1476e1877d..6857212735 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -44,14 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 5 security_domain: access tests: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 99c5289b53..b396fd3167 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index df252c921e..b9f8984878 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise. data_source: [] -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: @@ -48,14 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 64 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 989b32fff1..0f5fe5f21e 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -7,7 +7,7 @@ status: experimental type: TTP description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: @@ -38,14 +38,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - api.operation - - actor.user.account_uid - - actor.user.name - - actor.user.uid - - http_request.user_agent - - src_endpoint.ip - - cloud.region risk_score: 64 security_domain: identity tests: From 0b6e9fc6107a8d6b43047fbc612846937f91283f Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 10:24:51 +0100 Subject: [PATCH 02/27] bug fixes --- ...asl_aws_concurrent_sessions_from_different_ips.yml | 7 +++++++ .../asl_aws_defense_evasion_delete_cloudtrail.yml | 9 ++++++++- ...ws_defense_evasion_delete_cloudwatch_log_group.yml | 5 ++--- ...l_aws_defense_evasion_impair_security_services.yml | 7 +++++++ ...sl_aws_defense_evasion_stop_logging_cloudtrail.yml | 7 +++++++ .../asl_aws_defense_evasion_update_cloudtrail.yml | 7 +++++++ ...ws_ecr_container_upload_outside_business_hours.yml | 7 +++++++ .../asl_aws_ecr_container_upload_unknown_user.yml | 11 +++++------ detections/cloud/asl_aws_iam_delete_policy.yml | 7 +++++++ .../cloud/asl_aws_iam_failure_group_deletion.yml | 7 +++++++ .../cloud/asl_aws_iam_successful_group_deletion.yml | 3 +-- .../asl_aws_multi_factor_authentication_disabled.yml | 7 +++++++ .../asl_aws_new_mfa_method_registered_for_user.yml | 7 +++++++ 13 files changed, 79 insertions(+), 12 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index bc8bfe0f32..342b9bd03c 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -42,6 +42,13 @@ tags: type: User role: - Victim + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 3980d22a4d..856d1ec1e2 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: @@ -40,6 +40,13 @@ tags: type: User role: - Victim + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 48d49d9d9d..4211054cfa 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: @@ -46,11 +46,10 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 90 security_domain: threat diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 0be79723a3..e15ec42274 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -37,6 +37,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 42 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 2917688f14..2fcd885ec5 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -44,6 +44,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 90 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 5aa48bad0d..dd7ee7ef6e 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -44,6 +44,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 90 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index ce59be4204..e6d4bd4bb9 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -36,6 +36,13 @@ tags: type: User role: - Victim + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 8419672b04..2adb667733 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -40,18 +40,17 @@ tags: type: User role: - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud risk_score: 49 security_domain: network tests: diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 812776680e..f1e08c9b46 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -35,6 +35,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 10 security_domain: access tests: diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 6857212735..1ce2773787 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -44,6 +44,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 5 security_domain: access tests: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index b396fd3167..a87f086ea9 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -39,11 +39,10 @@ tags: - Splunk Cloud required_fields: - api.operation - - actor.user.account_uid - - actor.user.name - actor.user.uid - http_request.user_agent - src_endpoint.ip + - src_endpoint.domain - cloud.region risk_score: 5 security_domain: access diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index b9f8984878..fe765ac48d 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -48,6 +48,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 64 security_domain: threat tests: diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 0f5fe5f21e..47e6df0f06 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -38,6 +38,13 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region risk_score: 64 security_domain: identity tests: From 7b275e0369707d52a8de18a87c32026c4557e7d8 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 10:28:41 +0100 Subject: [PATCH 03/27] bug fixes --- detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml | 2 +- .../asl_aws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- .../cloud/asl_aws_multi_factor_authentication_disabled.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 856d1ec1e2..f81efb1186 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -27,7 +27,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 100 - message: User $user$ has deleted a CloudTrail logging for account id $aws_account_id$ + message: User $user$ has deleted a CloudTrail mitre_attack_id: - T1562.008 - T1562 diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 4211054cfa..237c19a7a3 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -27,7 +27,7 @@ tags: asset_type: AWS Account confidence: 90 impact: 100 - message: User $user$ has deleted a CloudWatch logging group for account id $aws_account_id$ + message: User $user$ has deleted a CloudWatch mitre_attack_id: - T1562 - T1562.008 diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index fe765ac48d..2aa72ffc1b 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -28,7 +28,7 @@ tags: asset_type: AWS Account confidence: 80 impact: 80 - message: User $user$ has disabled Multi-Factor authentication for AWS account $aws_account_id$ + message: User $user$ has disabled Multi-Factor authentication mitre_attack_id: - T1586 - T1586.003 From 2b3ae5011a2212a956e391c7e35eb4269531b529 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 10:33:40 +0100 Subject: [PATCH 04/27] bump versions --- .../cloud/asl_aws_concurrent_sessions_from_different_ips.yml | 2 +- detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml | 2 +- .../asl_aws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- .../cloud/asl_aws_defense_evasion_impair_security_services.yml | 2 +- .../cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml | 2 +- detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml | 2 +- .../asl_aws_ecr_container_upload_outside_business_hours.yml | 2 +- detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml | 2 +- detections/cloud/asl_aws_iam_delete_policy.yml | 2 +- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- detections/cloud/asl_aws_iam_successful_group_deletion.yml | 2 +- .../cloud/asl_aws_multi_factor_authentication_disabled.yml | 2 +- detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 342b9bd03c..2a8af89868 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 5 +version: 6 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index f81efb1186..e7525f7f72 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 5 +version: 6 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 237c19a7a3..deb647f38b 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index e15ec42274..0ce5232dce 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 4 +version: 5 date: '2024-10-17' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 2fcd885ec5..392fbe86d9 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index dd7ee7ef6e..719c99d85b 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index e6d4bd4bb9..af3751acbf 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 2adb667733..14641db300 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 3 +version: 4 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index f1e08c9b46..a98b0b1abe 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 4 +version: 5 date: '2024-10-17' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 1ce2773787..e60e2f7963 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 5 +version: 6 date: '2024-10-22' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index a87f086ea9..b233db7f0e 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 4 +version: 5 date: '2024-10-22' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 2aa72ffc1b..6849c7c8e0 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 4 +version: 5 date: '2024-09-30' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 47e6df0f06..6333a2b7ff 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,6 +1,6 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 5 +version: 6 date: '2024-10-17' author: Patrick Bareiss, Splunk status: experimental From e82847c3c3584022a22c6f9f6d2b32bc44589c5c Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 16:42:52 +0100 Subject: [PATCH 05/27] new asl aws detections --- ...policy_version_to_allow_all_resources..yml | 59 +++++++++++++++++ detections/cloud/asl_aws_createaccesskey.yml | 53 +++++++++++++++ ..._aws_credential_access_getpassworddata.yml | 64 +++++++++++++++++++ ...s_credential_access_rds_password_reset.yml | 63 ++++++++++++++++++ 4 files changed, 239 insertions(+) create mode 100644 detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml create mode 100644 detections/cloud/asl_aws_createaccesskey.yml create mode 100644 detections/cloud/asl_aws_credential_access_getpassworddata.yml create mode 100644 detections/cloud/asl_aws_credential_access_rds_password_reset.yml diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml new file mode 100644 index 0000000000..dacd1fde01 --- /dev/null +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml @@ -0,0 +1,59 @@ +name: ASL AWS Create Policy Version to allow all resources +id: 22cc7a62-3884-48c4-82da-592b8199b72f +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. +data_source: [] +search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ created a policy version that allows them to access any resource in their account. + mitre_attack_id: + - T1078.004 + - T1078 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/detections/cloud/asl_aws_createaccesskey.yml b/detections/cloud/asl_aws_createaccesskey.yml new file mode 100644 index 0000000000..c6d0c5b9c1 --- /dev/null +++ b/detections/cloud/asl_aws_createaccesskey.yml @@ -0,0 +1,53 @@ +name: ASL AWS CreateAccessKey +id: d130cccd-41fe-483f-a70c-25d238bfce31 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: Hunting +description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. +data_source: [] +search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 90 + impact: 70 + message: User $user$ is attempting to create access keys + mitre_attack_id: + - T1136.003 + - T1136 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 63 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml new file mode 100644 index 0000000000..d7126a7eb2 --- /dev/null +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -0,0 +1,64 @@ +name: ASL AWS Credential Access GetPasswordData +id: a79b607a-50cc-4704-bb9d-eff280cb78c2 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. +data_source: [] +search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. +references: +- https://attack.mitre.org/techniques/T1552/ +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ +drilldown_searches: +- name: View the detection results for - "$user_arn$" + search: '%original_detection_search% | search user_arn = "$user_arn$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user_arn$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ is seen to make mulitple `GetPasswordData` API calls + mitre_attack_id: + - T1586 + - T1586.003 + - T1110 + - T1110.001 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml new file mode 100644 index 0000000000..56bddae069 --- /dev/null +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -0,0 +1,63 @@ +name: ASL AWS Credential Access RDS Password reset +id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 +version: 1 +date: '2024-12-12' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. +data_source: [] +search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +known_false_positives: Users may genuinely reset the RDS password. +references: +- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds +drilldown_searches: +- name: View the detection results for - "$database_id$" + search: '%original_detection_search% | search database_id = "$database_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$database_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Identity and Access Management Account Takeover + asset_type: AWS Account + confidence: 70 + impact: 70 + message: User $user$ is seen to reset the password for database + mitre_attack_id: + - T1586 + - T1586.003 + - T1110 + observable: + - name: database_id + type: Endpoint + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 49 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl From 8d5165ac314d5a4e1bdb77b5fcabc739adaa24e8 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 16:46:10 +0100 Subject: [PATCH 06/27] bug fix --- ..._aws_create_policy_version_to_allow_all_resources.yml} | 0 .../asl_aws_credential_access_rds_password_reset.yml | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) rename detections/cloud/{asl_aws_create_policy_version_to_allow_all_resources..yml => asl_aws_create_policy_version_to_allow_all_resources.yml} (100%) diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml similarity index 100% rename from detections/cloud/asl_aws_create_policy_version_to_allow_all_resources..yml rename to detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 56bddae069..2c9838422d 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -13,12 +13,12 @@ known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds drilldown_searches: -- name: View the detection results for - "$database_id$" - search: '%original_detection_search% | search database_id = "$database_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search database_id = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$database_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: From 662a813ed79adf455edf9cb3ef142dd0db739c46 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 16:48:43 +0100 Subject: [PATCH 07/27] bug fix --- .../cloud/asl_aws_credential_access_rds_password_reset.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 2c9838422d..1a8f928a42 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -33,8 +33,8 @@ tags: - T1586.003 - T1110 observable: - - name: database_id - type: Endpoint + - name: user + type: User role: - Victim - name: src From 36fa04542dc38f7429781ca086dbc07ce15a134e Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 16:53:50 +0100 Subject: [PATCH 08/27] bug fix --- detections/cloud/asl_aws_createaccesskey.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_createaccesskey.yml b/detections/cloud/asl_aws_createaccesskey.yml index c6d0c5b9c1..3f4c3701c6 100644 --- a/detections/cloud/asl_aws_createaccesskey.yml +++ b/detections/cloud/asl_aws_createaccesskey.yml @@ -1,5 +1,5 @@ name: ASL AWS CreateAccessKey -id: d130cccd-41fe-483f-a70c-25d238bfce31 +id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 version: 1 date: '2024-12-12' author: Patrick Bareiss, Splunk From 3df3c730c481624689c08827ea8de3f53214cc7d Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 16:58:43 +0100 Subject: [PATCH 09/27] bug fix --- ...sl_aws_createaccesskey.yml => asl_aws_create_access_key.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename detections/cloud/{asl_aws_createaccesskey.yml => asl_aws_create_access_key.yml} (98%) diff --git a/detections/cloud/asl_aws_createaccesskey.yml b/detections/cloud/asl_aws_create_access_key.yml similarity index 98% rename from detections/cloud/asl_aws_createaccesskey.yml rename to detections/cloud/asl_aws_create_access_key.yml index 3f4c3701c6..a40264d141 100644 --- a/detections/cloud/asl_aws_createaccesskey.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -1,4 +1,4 @@ -name: ASL AWS CreateAccessKey +name: ASL AWS Create Access Key id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 version: 1 date: '2024-12-12' From 9614a1ef9b05aa02c93e78bb16b7427c93d420ee Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 12 Dec 2024 17:00:27 +0100 Subject: [PATCH 10/27] bug fix --- detections/cloud/asl_aws_create_access_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index a40264d141..9f1596c925 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`' +search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: From 4ba258a1b573746582e44648f9be92586a8a7b76 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 09:31:49 +0100 Subject: [PATCH 11/27] bug fix improvements --- detections/cloud/asl_aws_create_access_key.yml | 2 +- .../cloud/asl_aws_credential_access_rds_password_reset.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index 9f1596c925..fe47bbf5b0 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -48,6 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/asl_ocsf_cloudtrail.json + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 1a8f928a42..946332c907 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -37,7 +37,7 @@ tags: type: User role: - Victim - - name: src + - name: src_ip type: IP Address role: - Attacker From 2fd10dc4c4762f741a28dda48a6db7ea248627a8 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 10:55:12 +0100 Subject: [PATCH 12/27] updates --- .../cloud/asl_aws_create_access_key.yml | 3 +- ..._policy_version_to_allow_all_resources.yml | 3 +- ..._aws_credential_access_getpassworddata.yml | 11 ++-- ...s_credential_access_rds_password_reset.yml | 3 +- ..._aws_defense_evasion_delete_cloudtrail.yml | 3 +- ...se_evasion_delete_cloudwatch_log_group.yml | 3 +- ...fense_evasion_impair_security_services.yml | 3 +- ...aws_defense_evasion_putbucketlifecycle.yml | 57 +++++++++++++++++++ ...efense_evasion_stop_logging_cloudtrail.yml | 3 +- ..._aws_defense_evasion_update_cloudtrail.yml | 3 +- ...ontainer_upload_outside_business_hours.yml | 3 +- ..._aws_ecr_container_upload_unknown_user.yml | 3 +- .../cloud/asl_aws_iam_delete_policy.yml | 3 +- .../asl_aws_iam_failure_group_deletion.yml | 3 +- .../asl_aws_iam_successful_group_deletion.yml | 3 +- ...s_multi_factor_authentication_disabled.yml | 3 +- ...aws_new_mfa_method_registered_for_user.yml | 3 +- 17 files changed, 93 insertions(+), 20 deletions(-) create mode 100644 detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index fe47bbf5b0..b2894b069d 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' +search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: @@ -39,6 +39,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index dacd1fde01..2dfae61ba3 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' +search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. references: @@ -43,6 +43,7 @@ tags: - Splunk Cloud required_fields: - api.operation + - actor.user.account.uid - api.request.data - actor.user.uid - http_request.user_agent diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index d7126a7eb2..89ca5d7627 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -7,19 +7,19 @@ status: production type: Anomaly description: The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' +search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user_arn = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: @@ -50,6 +50,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 946332c907..9f7ab85779 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. data_source: [] -search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' +search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: Users may genuinely reset the RDS password. references: @@ -49,6 +49,7 @@ tags: - api.operation - api.request.data - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index e7525f7f72..c981938f68 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: @@ -43,6 +43,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index deb647f38b..aca37b5228 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: @@ -47,6 +47,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 0ce5232dce..cc130e457c 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. data_source: [] -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: @@ -40,6 +40,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml new file mode 100644 index 0000000000..17eaa8ce1d --- /dev/null +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -0,0 +1,57 @@ +name: ASL AWS Defense Evasion PutBucketLifecycle +id: 986565a2-7707-48ea-9590-37929cebc938 +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: Hunting +description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. +data_source: +- AWS CloudTrail PutBucketLifecycle +search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bukcetName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' +how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. +references: +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ +tags: + analytic_story: + - AWS Defense Evasion + asset_type: AWS Account + confidence: 40 + impact: 50 + message: User $user$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days + mitre_attack_id: + - T1562.008 + - T1562 + - T1485.001 + - T1485 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: user_arn + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 20 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 392fbe86d9..4cbfd6c506 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. data_source: [] -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: @@ -47,6 +47,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 719c99d85b..fb35064615 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. data_source: [] -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: @@ -47,6 +47,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index af3751acbf..a1ee0f413d 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. data_source: [] -search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' +search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. references: @@ -39,6 +39,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 14641db300..e0311b7240 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. data_source: [] -search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' +search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: @@ -43,6 +43,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index a98b0b1abe..9d41172ef3 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. data_source: [] -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: @@ -38,6 +38,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index e60e2f7963..428d72f0a8 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -47,6 +47,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index b233db7f0e..a5aced86f6 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. data_source: [] -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -40,6 +40,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 6849c7c8e0..984f0a347f 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise. data_source: [] -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: @@ -51,6 +51,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 6333a2b7ff..916a769b3e 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -7,7 +7,7 @@ status: experimental type: TTP description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. data_source: [] -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: @@ -41,6 +41,7 @@ tags: required_fields: - api.operation - actor.user.uid + - actor.user.account.uid - http_request.user_agent - src_endpoint.ip - src_endpoint.domain From 685e732ec900fbe2f734cc2e9d73f52d5ac7405d Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 11:05:05 +0100 Subject: [PATCH 13/27] bug fix --- detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 17eaa8ce1d..05d8758c6e 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -8,7 +8,7 @@ type: Hunting description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - AWS CloudTrail PutBucketLifecycle -search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bukcetName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' +search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bukcetName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: From f47f89027d1ca475cf1a29939cced59f2f6eb570 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 11:25:28 +0100 Subject: [PATCH 14/27] bug fix --- .../cloud/asl_aws_defense_evasion_putbucketlifecycle.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 05d8758c6e..e8eb55493e 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -19,18 +19,18 @@ tags: asset_type: AWS Account confidence: 40 impact: 50 - message: User $user$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days + message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days mitre_attack_id: - T1562.008 - T1562 - T1485.001 - T1485 observable: - - name: src + - name: src_ip type: IP Address role: - Attacker - - name: user_arn + - name: user type: User role: - Attacker From eab58f76a355b81038103f010627170d926cfd7f Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 11:29:25 +0100 Subject: [PATCH 15/27] bug fix --- detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index e8eb55493e..44d2e00d59 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -8,7 +8,7 @@ type: Hunting description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - AWS CloudTrail PutBucketLifecycle -search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bukcetName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' +search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: From 3e8bf2a0305d47c13fc7909b75a6d03d9ec99bbf Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 16 Dec 2024 14:46:35 +0100 Subject: [PATCH 16/27] new detection --- ...g_keys_with_encrypt_policy_without_mfa.yml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml new file mode 100644 index 0000000000..6d8c933aca --- /dev/null +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -0,0 +1,73 @@ +name: ASL AWS Detect Users creating keys with encrypt policy without MFA +id: 16ae9076-d1d5-411c-8fdd-457504b33dac +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. +data_source: [] +search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey + | spath input=api.request.data path=policy output=policy + | spath input=policy + | rename Statement{}.Action as Action, Statement{}.Principal as Principal + | eval Statement=mvzip(Action,Principal,"|") + | mvexpand Statement + | eval action=mvindex(split(Statement, "|"), 0) + | eval principal=mvindex(split(Statement, "|"), 1) + | search action=kms* + | regex principal="\*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' +how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs +known_false_positives: unknown +references: +- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +- https://github.com/d1vious/git-wild-hunt +- https://www.youtube.com/watch?v=PgzNib37g0M +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Ransomware Cloud + asset_type: AWS Account + confidence: 50 + impact: 50 + message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts. + mitre_attack_id: + - T1486 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl From 12da0098e3a542a420edfbfafe692004e4990715 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 17 Dec 2024 10:18:58 +0100 Subject: [PATCH 17/27] new detection --- ...s_credential_access_rds_password_reset.yml | 2 +- ...aws_defense_evasion_putbucketlifecycle.yml | 2 +- ...g_keys_with_encrypt_policy_without_mfa.yml | 2 +- .../asl_aws_disable_bucket_versioning.yml | 71 +++++++++++++++++++ 4 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 detections/cloud/asl_aws_disable_bucket_versioning.yml diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 9f7ab85779..3d65e2111d 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -8,7 +8,7 @@ type: TTP description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. data_source: [] search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 44d2e00d59..e4d6aae6b3 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -9,7 +9,7 @@ description: The following analytic detects `PutBucketLifecycle` events in AWS C data_source: - AWS CloudTrail PutBucketLifecycle search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' -how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 6d8c933aca..93192321b7 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -21,7 +21,7 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' -how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml new file mode 100644 index 0000000000..c72b258841 --- /dev/null +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -0,0 +1,71 @@ +name: ASL AWS Disable Bucket Versioning +id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc +version: 1 +date: '2024-12-16' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +data_source: [] +description: The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. +search: '`amazon_security_lake` api.operation=PutBucketVersioning + | spath input=api.request.data path=VersioningConfiguration.Status output=Status + | spath input=api.request.data path=bucketName output=bucketName + | search Status=Suspended + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. +references: +- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 +- https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious AWS S3 Activities + - Data Exfiltration + asset_type: AWS Account + confidence: 80 + impact: 80 + message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ + mitre_attack_id: + - T1490 + observable: + - name: user + type: User + role: + - Attacker + - name: src_ip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 64 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl From 8d8dc2e529ce83ffcefd951c394a400da5387b35 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 17 Dec 2024 10:22:59 +0100 Subject: [PATCH 18/27] bug fix --- detections/cloud/asl_aws_disable_bucket_versioning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index c72b258841..37abd078c7 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -43,7 +43,7 @@ tags: - name: user type: User role: - - Attacker + - Victim - name: src_ip type: IP Address role: From a905a05fae1c94588323b49d05b0edfd3006e7da Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 17 Dec 2024 15:22:03 +0100 Subject: [PATCH 19/27] new detection --- ...asl_aws_ec2_snapshot_shared_externally.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml new file mode 100644 index 0000000000..496f1f1a9d --- /dev/null +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -0,0 +1,71 @@ +name: ASL AWS EC2 Snapshot Shared Externally +id: 00af8f7f-e004-446b-9bba-2732f717ae27 +version: 1 +date: '2024-12-17' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. +data_source: [] +search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute + | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group + | search group=all + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. +references: +- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/ +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ +- https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious Cloud Instance Activities + - Data Exfiltration + asset_type: EC2 Snapshot + confidence: 80 + impact: 60 + message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ + mitre_attack_id: + - T1537 + observable: + - name: user + type: User + role: + - Victim + - name: src_ip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - api.request.data + - http_request.user_agent + - src_endpoint.ip + - src_endpoint.domain + - cloud.region + risk_score: 48 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl From 186061fa9411738e2689a249ed03214bee734c68 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 8 Jan 2025 13:53:03 +0100 Subject: [PATCH 20/27] new detection --- ...concurrent_sessions_from_different_ips.yml | 2 +- .../cloud/asl_aws_create_access_key.yml | 2 +- ..._policy_version_to_allow_all_resources.yml | 2 +- ..._aws_credential_access_getpassworddata.yml | 2 +- ...s_credential_access_rds_password_reset.yml | 2 +- ..._aws_defense_evasion_delete_cloudtrail.yml | 2 +- ...se_evasion_delete_cloudwatch_log_group.yml | 2 +- ...fense_evasion_impair_security_services.yml | 2 +- ...aws_defense_evasion_putbucketlifecycle.yml | 2 +- ...efense_evasion_stop_logging_cloudtrail.yml | 2 +- ..._aws_defense_evasion_update_cloudtrail.yml | 2 +- ...g_keys_with_encrypt_policy_without_mfa.yml | 2 +- .../asl_aws_disable_bucket_versioning.yml | 2 +- ...asl_aws_ec2_snapshot_shared_externally.yml | 2 +- ...ontainer_upload_outside_business_hours.yml | 2 +- ..._aws_ecr_container_upload_unknown_user.yml | 2 +- ..._aws_iam_accessdenied_discovery_events.yml | 64 +++++++++++++++++++ .../cloud/asl_aws_iam_delete_policy.yml | 2 +- .../asl_aws_iam_failure_group_deletion.yml | 2 +- .../asl_aws_iam_successful_group_deletion.yml | 2 +- ...s_multi_factor_authentication_disabled.yml | 2 +- ...aws_new_mfa_method_registered_for_user.yml | 2 +- macros/amazon_security_lake.yml | 2 +- 23 files changed, 86 insertions(+), 22 deletions(-) create mode 100644 detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 2a8af89868..3eca6b3a38 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -60,5 +60,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index b2894b069d..bb4d17d82a 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -50,5 +50,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index 2dfae61ba3..050dd10a56 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -56,5 +56,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 89ca5d7627..569eaea9ad 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -61,5 +61,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 3d65e2111d..b518e56f26 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -60,5 +60,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index c981938f68..0a87df4e6e 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -58,5 +58,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index aca37b5228..25201acc1e 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -59,4 +59,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json source: aws_asl - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index cc130e457c..2f80706191 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -51,5 +51,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index e4d6aae6b3..94e37b0bb7 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -53,5 +53,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 4cbfd6c506..2df98440c3 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -58,5 +58,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index fb35064615..100bc8dc57 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -58,5 +58,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 93192321b7..78674a8daf 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -69,5 +69,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 37abd078c7..f6951e9f0e 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -67,5 +67,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index 496f1f1a9d..b32f6c7a1f 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -67,5 +67,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index a1ee0f413d..2c67cbe2d0 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -55,5 +55,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index e0311b7240..78918063de 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -58,5 +58,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml new file mode 100644 index 0000000000..7314d078ca --- /dev/null +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -0,0 +1,64 @@ +name: ASL AWS IAM AccessDenied Discovery Events +id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 +version: 1 +date: '2025-01-08' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation. +data_source: [] +search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser + | bucket _time span=1h + | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_accessdenied_discovery_events_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives. +references: +- https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Suspicious Cloud User Activities + asset_type: AWS Account + confidence: 50 + impact: 20 + message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. + mitre_attack_id: + - T1580 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - src_endpoint.ip + - cloud.region + risk_score: 10 + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 9d41172ef3..d550402c0e 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -49,5 +49,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 428d72f0a8..abc398f973 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -58,5 +58,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index a5aced86f6..4a87912479 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -51,5 +51,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 984f0a347f..0ef7c03dab 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -62,5 +62,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 916a769b3e..570e905073 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -52,5 +52,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake + sourcetype: aws:asl source: aws_asl diff --git a/macros/amazon_security_lake.yml b/macros/amazon_security_lake.yml index 9b27aad2aa..e696749be0 100644 --- a/macros/amazon_security_lake.yml +++ b/macros/amazon_security_lake.yml @@ -1,4 +1,4 @@ -definition: sourcetype=aws:cloudtrail:lake +definition: sourcetype=aws:asl description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. name: amazon_security_lake From 197881f7facddee1238892baa24d3b9eb031eb4a Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 8 Jan 2025 14:32:56 +0100 Subject: [PATCH 21/27] bug fix --- detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index b32f6c7a1f..406018645b 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -11,7 +11,7 @@ search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group | search group=all | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. From dc3fdda537140de25a39850ab3f801fe4b58947a Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 8 Jan 2025 17:05:24 +0100 Subject: [PATCH 22/27] new detection --- ...aws_iam_assume_role_policy_brute_force.yml | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml new file mode 100644 index 0000000000..ffa5c72121 --- /dev/null +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -0,0 +1,67 @@ +name: ASL AWS IAM Assume Role Policy Brute Force +id: 726959fe-316d-445c-a584-fa187d64e295 +version: 1 +date: '2025-01-08' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. +data_source: [] +search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied + | bucket _time span=1h + | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | where failures >= 3 + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. +references: +- https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ +- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ +- https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 70 + impact: 40 + message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. + mitre_attack_id: + - T1580 + - T1110 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - api.operation + - actor.user.uid + - src_endpoint.ip + - cloud.region + risk_score: 28 + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl From 4b37788f5a43ad009b6461668aa3367f286732f1 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 9 Jan 2025 14:42:38 +0100 Subject: [PATCH 23/27] new detections --- ...ntrol_list_created_with_all_open_ports.yml | 71 +++++++++++++++++++ ...ws_network_access_control_list_deleted.yml | 68 ++++++++++++++++++ .../asl_aws_saml_update_identity_provider.yml | 67 +++++++++++++++++ .../cloud/asl_aws_updateloginprofile.yml | 66 +++++++++++++++++ 4 files changed, 272 insertions(+) create mode 100644 detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml create mode 100644 detections/cloud/asl_aws_network_access_control_list_deleted.yml create mode 100644 detections/cloud/asl_aws_saml_update_identity_provider.yml create mode 100644 detections/cloud/asl_aws_updateloginprofile.yml diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml new file mode 100644 index 0000000000..941e59dfdc --- /dev/null +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -0,0 +1,71 @@ +name: ASL AWS Network Access Control List Created with All Open Ports +id: a2625034-c2de-44fc-b45c-7bac9c4a7974 +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. +data_source: [] +search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success + | spath input=api.request.data path=ruleAction output=ruleAction + | spath input=api.request.data path=egress output=egress + | spath input=api.request.data path=aclProtocol output=aclProtocol + | spath input=api.request.data path=cidrBlock output=cidrBlock + | spath input=api.request.data path=networkAclId output=networkAclId + | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Network ACL Activity + asset_type: AWS Instance + confidence: 80 + impact: 60 + message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ + mitre_attack_id: + - T1562.007 + - T1562 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 48 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml new file mode 100644 index 0000000000..395a53b6cd --- /dev/null +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -0,0 +1,68 @@ +name: ASL AWS Network Access Control List Deleted +id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment. +data_source: [] +search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success + | spath input=api.request.data path=egress output=egress + | spath input=api.request.data path=networkAclId output=networkAclId + | search egress=false + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that a user has legitimately deleted a network ACL. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user_arn = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS Network ACL Activity + asset_type: AWS Instance + confidence: 50 + impact: 10 + message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. + mitre_attack_id: + - T1562.007 + - T1562 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - api.request.data + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 5 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml new file mode 100644 index 0000000000..eadbabe290 --- /dev/null +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -0,0 +1,67 @@ +name: ASL AWS SAML Update identity provider +id: 635c26cc-0fd1-4098-8ec9-824bf9544b11 +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data. +data_source: [] +search: '`amazon_security_lake` api.operation=UpdateSAMLProvider + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. +references: +- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a +- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html +- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Cloud Federated Credential Abuse + asset_type: AWS Federated Account + confidence: 80 + impact: 80 + message: User $user$ from IP address $src_ip$ updated the SAML provider + mitre_attack_id: + - T1078 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 64 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml new file mode 100644 index 0000000000..612216241f --- /dev/null +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -0,0 +1,66 @@ +name: ASL AWS UpdateLoginProfile +id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d +version: 1 +date: '2025-01-09' +author: Patrick Bareiss, Splunk +status: production +type: TTP +description: The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. +data_source: [] +search: '`amazon_security_lake` api.operation=UpdateLoginProfile + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. +references: +- https://bishopfox.com/blog/privilege-escalation-in-aws +- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AWS IAM Privilege Escalation + asset_type: AWS Account + confidence: 60 + impact: 50 + message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges + mitre_attack_id: + - T1136.003 + - T1136 + observable: + - name: src_ip + type: IP Address + role: + - Attacker + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - api.operation + - actor.user.uid + - actor.user.account.uid + - http_request.user_agent + - src_endpoint.ip + - cloud.region + risk_score: 30 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json + sourcetype: aws:asl + source: aws_asl From 8b30dc3e15a198abffbe651c3ebb17a321984fe7 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 9 Jan 2025 14:47:11 +0100 Subject: [PATCH 24/27] change --- detections/cloud/asl_aws_updateloginprofile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index 612216241f..c2533bff34 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -32,7 +32,7 @@ tags: asset_type: AWS Account confidence: 60 impact: 50 - message: From IP address $src$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges + message: User $user$ from IP address $src_ip$ updated the login profile of another user mitre_attack_id: - T1136.003 - T1136 From 848fb1871707f2f389aba03140a6f76b8b34ab66 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 9 Jan 2025 18:19:18 +0100 Subject: [PATCH 25/27] improvements --- ..._network_access_control_list_created_with_all_open_ports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 941e59dfdc..ba00d8c2cf 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -41,7 +41,7 @@ tags: - T1562.007 - T1562 observable: - - name: src + - name: src_ip type: IP Address role: - Attacker From a3be9d47b95c8cb4ad55c6554371359fd2613d7e Mon Sep 17 00:00:00 2001 From: research-bot Date: Fri, 10 Jan 2025 11:46:35 -0800 Subject: [PATCH 26/27] minor udpates to yaml --- detections/cloud/asl_aws_create_access_key.yml | 2 +- .../cloud/asl_aws_credential_access_getpassworddata.yml | 4 ++-- .../cloud/asl_aws_credential_access_rds_password_reset.yml | 2 +- ...ct_users_creating_keys_with_encrypt_policy_without_mfa.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index bb4d17d82a..b5261610e0 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -31,7 +31,7 @@ tags: - name: user type: User role: - - Attacker + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 569eaea9ad..af57d45db0 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -5,7 +5,7 @@ date: '2024-12-12' author: Patrick Bareiss, Splunk status: production type: Anomaly -description: The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. +description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. data_source: [] search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -28,7 +28,7 @@ tags: asset_type: AWS Account confidence: 70 impact: 70 - message: User $user$ is seen to make mulitple `GetPasswordData` API calls + message: User $user$ is seen to make `GetPasswordData` API calls mitre_attack_id: - T1586 - T1586.003 diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index b518e56f26..5cda385d7a 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -5,7 +5,7 @@ date: '2024-12-12' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. +description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. data_source: [] search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 78674a8daf..42beaf83ae 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -5,7 +5,7 @@ date: '2024-12-16' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. +description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. data_source: [] search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey | spath input=api.request.data path=policy output=policy @@ -21,7 +21,7 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ From 3d1fde609b65404631a3dd49bea6f695f08d143c Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 14 Jan 2025 16:47:25 +0100 Subject: [PATCH 27/27] Add ASL AWS CloudTrail data source --- data_sources/asl_aws_cloudtrail.yml | 13 +++++++++++++ ...l_aws_concurrent_sessions_from_different_ips.yml | 3 ++- detections/cloud/asl_aws_create_access_key.yml | 3 ++- ...create_policy_version_to_allow_all_resources.yml | 3 ++- .../asl_aws_credential_access_getpassworddata.yml | 3 ++- ...asl_aws_credential_access_rds_password_reset.yml | 3 ++- .../asl_aws_defense_evasion_delete_cloudtrail.yml | 3 ++- ..._defense_evasion_delete_cloudwatch_log_group.yml | 3 ++- ...aws_defense_evasion_impair_security_services.yml | 3 ++- .../asl_aws_defense_evasion_putbucketlifecycle.yml | 2 +- ..._aws_defense_evasion_stop_logging_cloudtrail.yml | 3 ++- .../asl_aws_defense_evasion_update_cloudtrail.yml | 3 ++- ...reating_keys_with_encrypt_policy_without_mfa.yml | 3 ++- .../cloud/asl_aws_disable_bucket_versioning.yml | 3 ++- .../asl_aws_ec2_snapshot_shared_externally.yml | 3 ++- ..._ecr_container_upload_outside_business_hours.yml | 3 ++- .../asl_aws_ecr_container_upload_unknown_user.yml | 3 ++- .../asl_aws_iam_accessdenied_discovery_events.yml | 3 ++- .../asl_aws_iam_assume_role_policy_brute_force.yml | 3 ++- detections/cloud/asl_aws_iam_delete_policy.yml | 3 ++- .../cloud/asl_aws_iam_failure_group_deletion.yml | 3 ++- .../cloud/asl_aws_iam_successful_group_deletion.yml | 3 ++- ...asl_aws_multi_factor_authentication_disabled.yml | 3 ++- ...ess_control_list_created_with_all_open_ports.yml | 3 ++- .../asl_aws_network_access_control_list_deleted.yml | 3 ++- .../asl_aws_new_mfa_method_registered_for_user.yml | 3 ++- .../cloud/asl_aws_saml_update_identity_provider.yml | 3 ++- detections/cloud/asl_aws_updateloginprofile.yml | 3 ++- 28 files changed, 66 insertions(+), 27 deletions(-) create mode 100644 data_sources/asl_aws_cloudtrail.yml diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml new file mode 100644 index 0000000000..743e34d3eb --- /dev/null +++ b/data_sources/asl_aws_cloudtrail.yml @@ -0,0 +1,13 @@ +name: ASL AWS CloudTrail +id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898 +version: 1 +date: '2025-01-14' +author: Patrick Bareiss, Splunk +description: Data source object for ASL AWS CloudTrail +source: aws_asl +sourcetype: aws:asl +separator: api.operation +supported_TA: +- name: Splunk Add-on for AWS + url: https://splunkbase.splunk.com/app/1876 + version: 7.9.0 diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 3eca6b3a38..2e1b0f688f 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index b5261610e0..25df72cac5 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Hunting description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index 050dd10a56..e26aea3882 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index af57d45db0..e748f22103 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 5cda385d7a..732863d4fb 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Users may genuinely reset the RDS password. diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 0a87df4e6e..1a7c2f1613 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 25201acc1e..c7200975b5 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 2f80706191..ae41522216 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 94e37b0bb7..3190e8f264 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -7,7 +7,7 @@ status: production type: Hunting description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: -- AWS CloudTrail PutBucketLifecycle +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 2df98440c3..42e436bcaf 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 100bc8dc57..83b5fd9408 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 42beaf83ae..9098fe9358 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey | spath input=api.request.data path=policy output=policy | spath input=policy diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index f6951e9f0e..bc2f2f2887 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -5,7 +5,8 @@ date: '2024-12-16' author: Patrick Bareiss, Splunk status: production type: Anomaly -data_source: [] +data_source: +- ASL AWS CloudTrail description: The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. search: '`amazon_security_lake` api.operation=PutBucketVersioning | spath input=api.request.data path=VersioningConfiguration.Status output=Status diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index 406018645b..8fc0cf56fa 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group | search group=all diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 2c67cbe2d0..2894275771 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 78918063de..8ce8bd56dd 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 7314d078ca..59de0fd09c 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index ffa5c72121..b93bc70162 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index d550402c0e..42fdd2bb27 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index abc398f973..9baebc2f81 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 4a87912479..1479756ad8 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Hunting description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 0ef7c03dab..b8803bcf64 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index ba00d8c2cf..5b1bdcfe81 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success | spath input=api.request.data path=ruleAction output=ruleAction | spath input=api.request.data path=egress output=egress diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 395a53b6cd..0995a94097 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: Anomaly description: The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success | spath input=api.request.data path=egress output=egress | spath input=api.request.data path=networkAclId output=networkAclId diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 570e905073..2235799ae9 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: experimental type: TTP description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index eadbabe290..bc0a9502cd 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateSAMLProvider | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index c2533bff34..edd8676be2 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk status: production type: TTP description: The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. -data_source: [] +data_source: +- ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateLoginProfile | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region