[New Rule] Building Block Rule - AWS IAM Login Profile Added to User (#…

…3633) * new rule 'AWS IAM Login Profile Added to User' * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Isai <[email protected]> * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Ruben Groenewoud <[email protected]> --------- Co-authored-by: Isai <[email protected]> Co-authored-by: Ruben Groenewoud <[email protected]> (cherry picked from commit 608b801)
elastic · May 14, 2024 · 7b515fd · 7b515fd
1 parent 3f970fd
commit 7b515fd
Showing 1 changed file with 70 additions and 0 deletions.
diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
@@ -0,0 +1,70 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2024/04/30"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/30"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who
+typically does not have one and is used only for programmatic access. This can be used to maintain access to the account
+even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on
+its own. It is meant to be used for correlation with other rules to detect suspicious activity.
+"""
+from = "now-60m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS IAM Login Profile Added to User"
+risk_score = 21
+rule_id = "10445cf0-0748-11ef-ba75-f661ea17fbcc"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS IAM",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Rule Type: BBR"
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com"
+    and event.action: "CreateLoginProfile" and event.outcome: success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+