-
Notifications
You must be signed in to change notification settings - Fork 512
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Adding Coverage for `AWS Discovery API Calls via CLI from …
…a Single Resource` (#4246) * adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource' * adjusted name * adjusted ESQL functions * changed query comment * Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml * adjusted query * added min-stack * adjusted query (cherry picked from commit c602042)
- Loading branch information
1 parent
b6d0f98
commit 643e9a1
Showing
2 changed files
with
151 additions
and
1 deletion.
There are no files selected for viewing
3 changes: 2 additions & 1 deletion
3
rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
149 changes: 149 additions & 0 deletions
149
rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
[metadata] | ||
creation_date = "2024/11/04" | ||
integration = ["aws"] | ||
maturity = "production" | ||
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" | ||
min_stack_version = "8.13.0" | ||
updated_date = "2024/11/04" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This | ||
behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a | ||
compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to | ||
gain a better understanding of the target's infrastructure. | ||
""" | ||
false_positives = [ | ||
""" | ||
Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short | ||
time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected. | ||
""", | ||
] | ||
from = "now-9m" | ||
language = "esql" | ||
license = "Elastic License v2" | ||
name = "AWS Discovery API Calls via CLI from a Single Resource" | ||
note = """## Triage and Analysis | ||
### Investigating AWS Discovery API Calls via CLI from a Single Resource | ||
This rule detects multiple discovery-related API calls (`Describe`, `List`, or `Get` actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access. | ||
#### Possible Investigation Steps | ||
- **Identify the Actor and Resource**: | ||
- **User Identity and Resource**: Examine `aws.cloudtrail.user_identity.arn` to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected. | ||
- **User Agent and Tooling**: Check `user_agent.name` to confirm whether the `aws-cli` tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access. | ||
- **Evaluate the Context and Scope of API Calls**: | ||
- **API Action Types**: Look into the specific actions under `event.action` for API calls like `Describe*`, `List*`, or `Get*`. Note if these calls are targeting sensitive services, such as `EC2`, `IAM`, or `S3`, which may suggest an attempt to identify high-value assets. | ||
- **Time Pattern Analysis**: Review the `time_window` and `unique_api_count` to assess whether the frequency of these calls is consistent with normal patterns for this resource or user. | ||
- **Analyze Potential Compromise Indicators**: | ||
- **Identity Type**: Review `aws.cloudtrail.user_identity.type` to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise. | ||
- **Source IP and Geographic Location**: Examine the `source.ip` and `source.geo` fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access. | ||
- **Examine Related CloudTrail Events**: | ||
- **Pivot for Related Events**: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as `AssumeRole`, `GetSessionToken`, or `CreateAccessKey` in proximity to these discovery calls may signal an attempt to escalate privileges. | ||
- **Look for Anomalous Patterns**: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation. | ||
### False Positive Analysis | ||
- **Expected Discovery Activity**: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks. | ||
- **Routine Admin or Automated Access**: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives. | ||
### Response and Remediation | ||
- **Confirm Authorized Access**: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions. | ||
- **Review and Remove Unauthorized API Calls**: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse. | ||
- **Enhance Monitoring for Discovery Patterns**: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources. | ||
- **Policy Review and Updates**: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery. | ||
### Additional Information | ||
For further guidance on AWS infrastructure discovery and best practices, refer to [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html) and MITRE ATT&CK’s [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580/). | ||
""" | ||
references = ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/"] | ||
risk_score = 21 | ||
rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd" | ||
severity = "low" | ||
tags = [ | ||
"Domain: Cloud", | ||
"Data Source: AWS", | ||
"Data Source: AWS EC2", | ||
"Data Source: AWS IAM", | ||
"Data Source: AWS S3", | ||
"Use Case: Threat Detection", | ||
"Tactic: Discovery", | ||
] | ||
timestamp_override = "event.ingested" | ||
type = "esql" | ||
|
||
query = ''' | ||
from logs-aws.cloudtrail* | ||
// create time window buckets of 10 seconds | ||
| eval time_window = date_trunc(10 seconds, @timestamp) | ||
| where | ||
event.dataset == "aws.cloudtrail" | ||
// filter on CloudTrail audit logs for IAM, EC2, and S3 events only | ||
and event.provider in ( | ||
"iam.amazonaws.com", | ||
"ec2.amazonaws.com", | ||
"s3.amazonaws.com", | ||
"rds.amazonaws.com", | ||
"lambda.amazonaws.com", | ||
"dynamodb.amazonaws.com", | ||
"kms.amazonaws.com", | ||
"cloudfront.amazonaws.com", | ||
"elasticloadbalancing.amazonaws.com", | ||
"cloudfront.amazonaws.com" | ||
) | ||
// ignore AWS service actions | ||
and aws.cloudtrail.user_identity.type != "AWSService" | ||
// filter for aws-cli specifically | ||
and user_agent.name == "aws-cli" | ||
// exclude DescribeCapacityReservations events related to AWS Config | ||
and not event.action in ("DescribeCapacityReservations") | ||
// filter for Describe, Get, List, and Generate API calls | ||
| where true in ( | ||
starts_with(event.action, "Describe"), | ||
starts_with(event.action, "Get"), | ||
starts_with(event.action, "List"), | ||
starts_with(event.action, "Generate") | ||
) | ||
// extract owner, identity type, and actor from the ARN | ||
| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}" | ||
| where starts_with(actor, "AWSServiceRoleForConfig") != true | ||
| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn | ||
| stats | ||
// count the number of unique API calls per time window and actor | ||
unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn | ||
// filter for more than 5 unique API calls per time window | ||
| where unique_api_count > 5 | ||
// sort the results by the number of unique API calls in descending order | ||
| sort unique_api_count desc | ||
''' | ||
|
||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
[[rule.threat.technique]] | ||
id = "T1580" | ||
name = "Cloud Infrastructure Discovery" | ||
reference = "https://attack.mitre.org/techniques/T1580/" | ||
|
||
|
||
[rule.threat.tactic] | ||
id = "TA0007" | ||
name = "Discovery" | ||
reference = "https://attack.mitre.org/tactics/TA0007/" | ||
|