-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules
new: Ingress/Egress Security Group Modification new: LoadBalancer Security Group Modification new: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure new: New Network ACL Entry Added new: New Network Route Added new: Potential Malicious Usage of CloudTrail System Manager new: RDS Database Security Group Modification --------- Co-authored-by: nasbench <[email protected]>
- Loading branch information
1 parent
d4cb9fd
commit f95d539
Showing
7 changed files
with
189 additions
and
0 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure | ||
id: 352a918a-34d8-4882-8470-44830c507aa3 | ||
status: experimental | ||
description: | | ||
Detects when an instance identity has taken an action that isn't inside SSM. | ||
This can indicate that a compromised EC2 instance is being used as a pivot point. | ||
references: | ||
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html | ||
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ | ||
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.defense_evasion | ||
- attack.t1078 | ||
- attack.t1078.002 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
userIdentity.arn|re: '.+:assumed-role/aws:.+' | ||
filter_main_generic: | ||
- eventSource: 'ssm.amazonaws.com' | ||
- eventName: 'RegisterManagedInstance' | ||
- sourceIPAddress: 'AWS Internal' | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services | ||
level: high |
23 changes: 23 additions & 0 deletions
23
rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
title: New Network ACL Entry Added | ||
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd | ||
status: test | ||
description: | | ||
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account. | ||
references: | ||
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventSource: 'ec2.amazonaws.com' | ||
eventName: 'CreateNetworkAclEntry' | ||
condition: selection | ||
falsepositives: | ||
- Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC | ||
level: low |
24 changes: 24 additions & 0 deletions
24
rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
title: New Network Route Added | ||
id: c803b2ce-c4a2-4836-beae-b112010390b1 | ||
status: test | ||
description: | | ||
Detects the addition of a new network route to a route table in AWS. | ||
references: | ||
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventSource: 'ec2.amazonaws.com' | ||
eventName: 'CreateRoute' | ||
condition: selection | ||
falsepositives: | ||
- New VPC Creation requiring setup of a new route table | ||
- New subnets added requiring routing setup | ||
level: medium |
30 changes: 30 additions & 0 deletions
30
rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: Ingress/Egress Security Group Modification | ||
id: 6fb77778-040f-4015-9440-572aa9b6b580 | ||
status: test | ||
description: | | ||
Detects when an account makes changes to the ingress or egress rules of a security group. | ||
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server. | ||
references: | ||
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventSource: 'ec2.amazonaws.com' | ||
eventName: | ||
- 'AuthorizeSecurityGroupEgress' | ||
- 'AuthorizeSecurityGroupIngress' | ||
- 'RevokeSecurityGroupEgress' | ||
- 'RevokeSecurityGroupIngress' | ||
condition: selection | ||
falsepositives: | ||
- New VPCs and Subnets being setup requiring a different security profile to those already defined | ||
- A single port being opened for a new service that is known to be deploying | ||
- Administrators closing unused ports to reduce the attack surface | ||
level: medium |
27 changes: 27 additions & 0 deletions
27
rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
title: LoadBalancer Security Group Modification | ||
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9 | ||
status: test | ||
description: | | ||
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). | ||
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account. | ||
references: | ||
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventSource: 'elasticloadbalancing.amazonaws.com' | ||
eventName: | ||
- 'ApplySecurityGroupsToLoadBalancer' | ||
- 'SetSecurityGroups' | ||
condition: selection | ||
falsepositives: | ||
- Repurposing of an ELB or ALB to serve a different or additional application | ||
- Changes to security groups to allow for new services to be deployed | ||
level: medium |
28 changes: 28 additions & 0 deletions
28
rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
title: RDS Database Security Group Modification | ||
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015 | ||
status: test | ||
description: | | ||
Detects changes to the security group entries for RDS databases. | ||
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users. | ||
references: | ||
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1190 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventSource: 'rds.amazonaws.com' | ||
eventName: | ||
- 'AuthorizeDBSecurityGroupIngress' | ||
- 'CreateDBSecurityGroup' | ||
- 'DeleteDBSecurityGroup' | ||
- 'RevokeDBSecurityGroupIngress' | ||
condition: selection | ||
falsepositives: | ||
- Creation of a new Database that needs new security group rules | ||
level: medium |
26 changes: 26 additions & 0 deletions
26
rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
title: Potential Malicious Usage of CloudTrail System Manager | ||
id: 38e7f511-3f74-41d4-836e-f57dfa18eead | ||
status: experimental | ||
description: | | ||
Detect when System Manager successfully executes commands against an instance. | ||
references: | ||
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml | ||
author: jamesc-grafana | ||
date: 2024/07/11 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.t1566 | ||
- attack.t1566.002 | ||
logsource: | ||
product: aws | ||
service: cloudtrail | ||
detection: | ||
selection: | ||
eventName: 'SendCommand' | ||
eventSource: 'ssm.amazonaws.com' | ||
responseElements.command.status: 'Success' | ||
condition: selection | ||
falsepositives: | ||
- There are legitimate uses of SSM to send commands to EC2 instances | ||
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them | ||
level: high |