splunk · patel-bhavin · Jan 14, 2025 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
@@ -0,0 +1,13 @@
+name: ASL AWS CloudTrail
+id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+description: Data source object for ASL AWS CloudTrail 
+source: aws_asl
+sourcetype: aws:asl
+separator: api.operation
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0
@@ -1,13 +1,14 @@
 name: ASL AWS Concurrent Sessions From Different Ips
 id: b3424bbe-3204-4469-887b-ec144483a336
-version: 5
+version: 6
 date: '2024-09-30'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
 description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
-data_source: []
-search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | rename identity.user.name as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
 references:
@@ -42,25 +43,23 @@ tags:
     type: User
     role:
     - Victim
-  product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
   required_fields:
   - api.operation
-  - actor.user.account_uid
-  - actor.user.name
   - actor.user.uid
   - http_request.user_agent
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   risk_score: 42
   security_domain: threat
   manual_test: Can't be tested automatically because of time span.
 tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json
-    sourcetype: aws:cloudtrail:lake
+    sourcetype: aws:asl
     source: aws_asl
@@ -0,0 +1,55 @@
+name: ASL AWS Create Access Key
+id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: Hunting
+description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 90
+  impact: 70
+  message: User $user$ is attempting to create access keys
+  mitre_attack_id:
+  - T1136.003
+  - T1136
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 63
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl
@@ -0,0 +1,61 @@
+name: ASL AWS Create Policy Version to allow all resources
+id: 22cc7a62-3884-48c4-82da-592b8199b72f
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.
+references:
+- https://bishopfox.com/blog/privilege-escalation-in-aws
+- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS IAM Privilege Escalation
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ created a policy version that allows them to access any resource in their account.
+  mitre_attack_id:
+  - T1078.004
+  - T1078
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.account.uid
+  - api.request.data
+  - actor.user.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl
@@ -0,0 +1,66 @@
+name: ASL AWS Credential Access GetPasswordData
+id: a79b607a-50cc-4704-bb9d-eff280cb78c2
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages  CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
+references:
+- https://attack.mitre.org/techniques/T1552/
+- https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user_arn = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS Identity and Access Management Account Takeover
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ is seen to make `GetPasswordData` API calls 
+  mitre_attack_id:
+  - T1586
+  - T1586.003
+  - T1110
+  - T1110.001
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl
@@ -0,0 +1,65 @@
+name: ASL AWS Credential Access RDS Password reset
+id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8
+version: 1
+date: '2024-12-12'
+author: Patrick Bareiss, Splunk
+status: production
+type: TTP
+description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.
+data_source: 
+- ASL AWS CloudTrail
+search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`'
+how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
+known_false_positives: Users may genuinely reset the RDS password.
+references:
+- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  database_id = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - AWS Identity and Access Management Account Takeover
+  asset_type: AWS Account
+  confidence: 70
+  impact: 70
+  message: User $user$ is seen to reset the password for database 
+  mitre_attack_id:
+  - T1586
+  - T1586.003
+  - T1110
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - api.operation
+  - api.request.data
+  - actor.user.uid
+  - actor.user.account.uid
+  - http_request.user_agent
+  - src_endpoint.ip
+  - src_endpoint.domain
+  - cloud.region
+  risk_score: 49
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json
+    sourcetype: aws:asl
+    source: aws_asl