From b642a43bdc5b274e199ed0f9a7fa6b037afab56e Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 4 Nov 2024 10:49:45 -0500 Subject: [PATCH 01/10] adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance' --- ..._create_user_via_assumed_role_and_cli.toml | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml new file mode 100644 index 00000000000..86cecb22896 --- /dev/null +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml @@ -0,0 +1,112 @@ +[metadata] +creation_date = "2024/11/04" +integration = ["aws"] +maturity = "production" +updated_date = "2024/11/04" + +[rule] +author = ["Elastic"] +description = """ +Detects the creation of an AWS Identity and Access Management (IAM) user initiated by an assumed role on an EC2 instance. Assumed roles allow users or services to temporarily adopt different AWS permissions, but the creation of IAM users through these roles—particularly from within EC2 instances—may indicate a compromised instance. Adversaries might exploit such permissions to establish persistence by creating new IAM users under unauthorized conditions. +""" +from = "now-9m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS IAM Create User via Assumed Role and CLI" +note = """ +## Triage and Analysis + +### Investigating AWS IAM User Creation via Assumed Role on an EC2 Instance + +This rule detects when an AWS Identity and Access Management (IAM) user is created through an assumed role on an EC2 instance. This action may indicate a potentially compromised instance where an adversary could be using the instance’s permissions to create a new IAM user, enabling persistent unauthorized access. + +#### Possible Investigation Steps + +- **Identify the Assumed Role and Initiating Instance**: + - **Role and Instance**: Examine the `aws.cloudtrail.user_identity.arn` field to determine the specific EC2 instance and role used for this action (e.g., `arn:aws:sts::[account-id]:assumed-role/[role-name]/[instance-id]`). Verify if this behavior aligns with expected usage or represents an anomaly. + - **Session Context**: Check the `session_issuer` fields in `aws.cloudtrail.user_identity.session_context` for details about the role assumed by the instance, along with `mfa_authenticated` to determine if Multi-Factor Authentication (MFA) was used. + +- **Analyze the Target IAM User**: + - **New User Details**: Inspect `aws.cloudtrail.flattened.request_parameters.userName` to see the username that was created. Look at `aws.cloudtrail.flattened.response_elements.user.userName` for confirmation of successful user creation, and validate if the user is expected or authorized. + - **Review Creation Time and Context**: Compare the creation time (`@timestamp`) of the user with other activities from the same instance and role to assess if this creation was part of a larger chain of actions. + +- **Check User Agent and Tooling**: + - **User Agent Analysis**: Review `user_agent.original` to see if AWS CLI, SDK, or other tooling was used for this request. Identifiers such as `aws-cli`, `boto3`, or similar SDK names can indicate the method used, which may differentiate automation from interactive actions. + - **Source IP and Location**: Use the `source.address` and `source.geo` fields to identify the IP address and geographic location of the event. Verify if this aligns with expected access patterns for your environment. + +- **Evaluate for Persistence Indicators**: + - **Role Permissions**: Check the permissions associated with the assumed role (`arn:aws:iam::[account-id]:role/[role-name]`) to determine if creating IAM users is a legitimate activity for this role. + - **Automated Role Patterns**: If the assumed role or instance typically creates IAM users for automation purposes, validate this action against historical records to confirm if the event is consistent with normal patterns. + +- **Review Related CloudTrail Events**: + - **Additional IAM Actions**: Investigate for other recent IAM or CloudTrail events tied to this role or instance, especially `CreateAccessKey` or `AttachUserPolicy` actions. These could signal further attempts to empower or utilize the newly created user. + - **Correlate with Other Suspicious Activities**: Determine if other roles or instances recently initiated similar unusual actions, such as privilege escalations or data access. + +### False Positive Analysis + +- **Expected Automation**: Assumed roles may be used by legitimate automated systems that create users for specific workflows. Confirm if this event aligns with known automation activities. +- **User Agent and Role Exceptions**: If this action is routine for specific roles or user agents (e.g., `aws-cli`, `boto3`), consider adding those roles or user agents to a monitored exception list for streamlined review. + +### Response and Remediation + +- **Immediate Access Review**: If user creation was unauthorized, restrict the assumed role’s permissions to prevent further user creation. +- **Delete Unauthorized Users**: Confirm and remove any unauthorized IAM users, adjusting IAM policies to reduce similar risks. +- **Enhance Monitoring and Alerts**: Enable enhanced logging or real-time alerts for this role or instance to detect further unauthorized access attempts. +- **Policy Update**: Consider updating IAM policies associated with roles on EC2 instances to limit sensitive actions like IAM user creation. + +### Additional Information + +For further guidance on managing IAM roles and permissions within AWS environments, refer to the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html) and AWS best practices for security. +""" +references = [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html", + "https://www.dionach.com/en-us/breaking-into-the-cloud-red-team-tactics-for-aws-compromise/" +] +risk_score = 47 +rule_id = "f7a1c536-9ac0-11ef-9911-f661ea17fbcd" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", +] +type = "new_terms" +timestamp_override = "event.ingested" +query = ''' +event.dataset: "aws.cloudtrail" + and event.action: "CreateUser" + and event.outcome: "success" + and aws.cloudtrail.user_identity.type: "AssumedRole" + and aws.cloudtrail.user_identity.arn: *i-* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["aws.cloudtrail.user_identity.arn"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" From cc70d0cc3ff67c9a798872b757c6ba060b09bbc3 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 4 Nov 2024 10:58:10 -0500 Subject: [PATCH 02/10] adding false-positive note --- ..._create_user_via_assumed_role_and_cli.toml | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml index 86cecb22896..25ca4bd3991 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml @@ -7,15 +7,25 @@ updated_date = "2024/11/04" [rule] author = ["Elastic"] description = """ -Detects the creation of an AWS Identity and Access Management (IAM) user initiated by an assumed role on an EC2 instance. Assumed roles allow users or services to temporarily adopt different AWS permissions, but the creation of IAM users through these roles—particularly from within EC2 instances—may indicate a compromised instance. Adversaries might exploit such permissions to establish persistence by creating new IAM users under unauthorized conditions. +Detects the creation of an AWS Identity and Access Management (IAM) user initiated by an assumed role on an EC2 +instance. Assumed roles allow users or services to temporarily adopt different AWS permissions, but the creation of IAM +users through these roles—particularly from within EC2 instances—may indicate a compromised instance. Adversaries might +exploit such permissions to establish persistence by creating new IAM users under unauthorized conditions. """ +false_positives = [ + """ + Assumed roles may be used by legitimate automated systems to create IAM users for specific workflows. Verify if this + event aligns with known automation activities. If the action is routine for specific roles or user agents (e.g., + `aws-cli`, `boto3`), consider adding those roles or user agents to a monitored exception list for streamlined + review. + """, +] from = "now-9m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" -name = "AWS IAM Create User via Assumed Role and CLI" -note = """ -## Triage and Analysis +name = "AWS IAM Create User via Assumed Role on EC2 Instance" +note = """## Triage and Analysis ### Investigating AWS IAM User Creation via Assumed Role on an EC2 Instance @@ -61,7 +71,7 @@ For further guidance on managing IAM roles and permissions within AWS environmen """ references = [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html", - "https://www.dionach.com/en-us/breaking-into-the-cloud-red-team-tactics-for-aws-compromise/" + "https://www.dionach.com/en-us/breaking-into-the-cloud-red-team-tactics-for-aws-compromise/", ] risk_score = 47 rule_id = "f7a1c536-9ac0-11ef-9911-f661ea17fbcd" @@ -74,8 +84,9 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Persistence", ] -type = "new_terms" timestamp_override = "event.ingested" +type = "new_terms" + query = ''' event.dataset: "aws.cloudtrail" and event.action: "CreateUser" @@ -103,10 +114,11 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + From 5271016dce4a9bd750ba8af674387cc5cd0353b3 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 4 Nov 2024 11:00:14 -0500 Subject: [PATCH 03/10] changed file name --- ...istence_iam_create_user_via_assumed_role_on_ec2_instance.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/integrations/aws/{persistence_iam_create_user_via_assumed_role_and_cli.toml => persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml} (100%) diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml similarity index 100% rename from rules/integrations/aws/persistence_iam_create_user_via_assumed_role_and_cli.toml rename to rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml From 185b78f8f5e05a61f136b7f0bb0f0425a97de5ce Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 4 Nov 2024 11:43:17 -0500 Subject: [PATCH 04/10] added event.provider --- ...istence_iam_create_user_via_assumed_role_on_ec2_instance.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index 25ca4bd3991..bd9ea86e22c 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -89,6 +89,7 @@ type = "new_terms" query = ''' event.dataset: "aws.cloudtrail" + and event.provider: "iam.amazonaws.com" and event.action: "CreateUser" and event.outcome: "success" and aws.cloudtrail.user_identity.type: "AssumedRole" From 7590bf647cac4b8417d939adfa724bd2dbf70faf Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 12:58:19 -0500 Subject: [PATCH 05/10] tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR --- ...e_ec2_instance_request_to_iam_service.toml | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml index af1d8236c39..40a90a7279b 100644 --- a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml +++ b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml @@ -1,13 +1,17 @@ [metadata] +bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2024/07/24" +updated_date = "2024/11/05" [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance. + +This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. """ false_positives = ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."] from = "now-6m" @@ -18,9 +22,9 @@ name = "AWS EC2 Instance Interaction with IAM Service" references = [ "https://redcanary.com/blog/aws-sts/", ] -risk_score = 47 +risk_score = 21 rule_id = "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1" -severity = "medium" +severity = "low" tags = [ "Domain: Cloud", "Data Source: AWS", @@ -35,10 +39,22 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" - and event.provider == "iam.amazonaws.com" - and aws.cloudtrail.user_identity.type == "AssumedRole" - and stringContains (user.id, ":i-") +event.dataset == "aws.cloudtrail" + and event.provider == "iam.amazonaws.com" + and aws.cloudtrail.user_identity.type == "AssumedRole" + and stringContains(user.id, ":i-") + and ( + startsWith(event.action, "Update") + or startsWith(event.action, "Attach") + or startsWith(event.action, "Detach") + or startsWith(event.action, "Create") + or startsWith(event.action, "Delete") + or startsWith(event.action, "Add") + or startsWith(event.action, "Remove") + or startsWith(event.action, "Put") + or startsWith(event.action, "Tag") + ) + ''' From b82ddd3ead8f2ceb21d826bc5e577a3d5967807f Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 12:59:44 -0500 Subject: [PATCH 06/10] updated query --- .../aws/persistence_ec2_instance_request_to_iam_service.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml index 40a90a7279b..d532fd22624 100644 --- a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml +++ b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml @@ -54,7 +54,6 @@ event.dataset == "aws.cloudtrail" or startsWith(event.action, "Put") or startsWith(event.action, "Tag") ) - ''' From 01bb9e7bf65b61fceba04b694d5cddf7a322f6ee Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 13:03:04 -0500 Subject: [PATCH 07/10] added BBR tag --- .../aws/persistence_ec2_instance_request_to_iam_service.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml index d532fd22624..60b992079b4 100644 --- a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml +++ b/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml @@ -34,6 +34,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", + "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "eql" From d302f2e18bd967bd366aed64f0006e3ba580b0ae Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 13:04:06 -0500 Subject: [PATCH 08/10] moved rule to BBR --- .../persistence_iam_instance_request_to_iam_service.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{integrations/aws/persistence_ec2_instance_request_to_iam_service.toml => network/persistence_iam_instance_request_to_iam_service.toml} (100%) diff --git a/rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml b/rules/network/persistence_iam_instance_request_to_iam_service.toml similarity index 100% rename from rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml rename to rules/network/persistence_iam_instance_request_to_iam_service.toml From e47655618808ee41b068fabb17bb02d1c2c19e09 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 13:08:28 -0500 Subject: [PATCH 09/10] fixed BBR query --- ...e_iam_instance_request_to_iam_service.toml | 44 ++++++++++++------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/rules/network/persistence_iam_instance_request_to_iam_service.toml b/rules/network/persistence_iam_instance_request_to_iam_service.toml index 60b992079b4..fcc0f8c20a1 100644 --- a/rules/network/persistence_iam_instance_request_to_iam_service.toml +++ b/rules/network/persistence_iam_instance_request_to_iam_service.toml @@ -9,19 +9,26 @@ updated_date = "2024/11/05" author = ["Elastic"] building_block_type = "default" description = """ -Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance. - -This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. +Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and +could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role +could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a +role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for +assumed role sessions started by an EC2 instance. This is a [building +block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on +its own. It is meant to be used for correlation with other rules to detect suspicious activity. """ -false_positives = ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."] +false_positives = [ + """ + Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure + validity of the triggered event and include exceptions where necessary. + """, +] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "eql" license = "Elastic License v2" name = "AWS EC2 Instance Interaction with IAM Service" -references = [ - "https://redcanary.com/blog/aws-sts/", -] +references = ["https://redcanary.com/blog/aws-sts/"] risk_score = 21 rule_id = "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1" severity = "low" @@ -40,7 +47,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -event.dataset == "aws.cloudtrail" +any where event.dataset == "aws.cloudtrail" and event.provider == "iam.amazonaws.com" and aws.cloudtrail.user_identity.type == "AssumedRole" and stringContains(user.id, ":i-") @@ -60,6 +67,16 @@ event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -68,25 +85,18 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" From 1ba00665079c51171c1c46dbc466967c83dd6235 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 5 Nov 2024 13:08:58 -0500 Subject: [PATCH 10/10] moved rule to BBR --- .../persistence_iam_instance_request_to_iam_service.toml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {rules/network => rules_building_block}/persistence_iam_instance_request_to_iam_service.toml (100%) diff --git a/rules/network/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml similarity index 100% rename from rules/network/persistence_iam_instance_request_to_iam_service.toml rename to rules_building_block/persistence_iam_instance_request_to_iam_service.toml