-
Notifications
You must be signed in to change notification settings - Fork 516
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] First Occurrence of User Identity Retrieving Credentials f…
…rom EC2 Instance with an Assumed Role (#3586) * new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance' * updated description and name * added investigation guide; adjusted description * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Isai <[email protected]> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <[email protected]> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <[email protected]> * updated query logic * fixed spacing issue * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml --------- Co-authored-by: Isai <[email protected]> Co-authored-by: Samirbous <[email protected]> (cherry picked from commit 38e0f13)
- Loading branch information
1 parent
7bad93a
commit 2616f3c
Showing
1 changed file
with
110 additions
and
0 deletions.
There are no files selected for viewing
110 changes: 110 additions & 0 deletions
110
rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
[metadata] | ||
creation_date = "2024/04/10" | ||
integration = ["aws"] | ||
maturity = "production" | ||
min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0" | ||
min_stack_version = "8.3.0" | ||
updated_date = "2024/05/13" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 | ||
instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 | ||
instances. | ||
""" | ||
from = "now-9m" | ||
index = ["filebeat-*", "logs-aws.cloudtrail*"] | ||
language = "kuery" | ||
license = "Elastic License v2" | ||
name = "AWS EC2 Admin Credential Fetch via Assumed Role" | ||
note = """ | ||
## Triage and Analysis | ||
### Investigating AWS EC2 Admin Credential Fetch via Assumed Role | ||
This rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. | ||
This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. | ||
#### Possible Investigation Steps | ||
- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. | ||
- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password. | ||
- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident. | ||
- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance. | ||
- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata. | ||
- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS. | ||
- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. | ||
### False Positive Analysis | ||
- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. | ||
- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. | ||
### Response and Remediation | ||
- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions. | ||
- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials. | ||
- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. | ||
- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. | ||
- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. | ||
- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. | ||
### Additional Information | ||
Refer to resources like [AWS privilege escalation methods](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) and the MITRE ATT&CK technique [T1552.005 - Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005/) for more details on potential vulnerabilities and mitigation strategies. | ||
""" | ||
references = [ | ||
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc", | ||
] | ||
risk_score = 47 | ||
rule_id = "8446517c-f789-11ee-8ad0-f661ea17fbce" | ||
severity = "medium" | ||
tags = [ | ||
"Domain: Cloud", | ||
"Data Source: AWS", | ||
"Data Source: Amazon Web Services", | ||
"Data Source: Amazon EC2", | ||
"Use Case: Identity and Access Audit", | ||
"Resources: Investigation Guide", | ||
"Tactic: Credential Access", | ||
] | ||
timestamp_override = "event.ingested" | ||
type = "new_terms" | ||
|
||
query = ''' | ||
event.dataset:"aws.cloudtrail" | ||
and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" | ||
and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" | ||
''' | ||
|
||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
[[rule.threat.technique]] | ||
id = "T1552" | ||
name = "Unsecured Credentials" | ||
reference = "https://attack.mitre.org/techniques/T1552/" | ||
[[rule.threat.technique.subtechnique]] | ||
id = "T1552.005" | ||
name = "Cloud Instance Metadata API" | ||
reference = "https://attack.mitre.org/techniques/T1552/005/" | ||
|
||
|
||
|
||
[rule.threat.tactic] | ||
id = "TA0006" | ||
name = "Credential Access" | ||
reference = "https://attack.mitre.org/tactics/TA0006/" | ||
|
||
[rule.new_terms] | ||
field = "new_terms_fields" | ||
value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] | ||
[[rule.new_terms.history_window_start]] | ||
field = "history_window_start" | ||
value = "now-7d" | ||
|
||
|