From 7b515fd8d6dce4c8823ad6b90ee168a1fc3406b5 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 14 May 2024 11:10:43 -0400 Subject: [PATCH] [New Rule] Building Block Rule - AWS IAM Login Profile Added to User (#3633) * new rule 'AWS IAM Login Profile Added to User' * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 608b8010882d669a209fd63d65cd27d576f5393d) --- ...e_aws_iam_login_profile_added_to_user.toml | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml new file mode 100644 index 00000000000..ed153da8642 --- /dev/null +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -0,0 +1,70 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2024/04/30" +integration = ["aws"] +maturity = "production" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/30" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who +typically does not have one and is used only for programmatic access. This can be used to maintain access to the account +even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on +its own. It is meant to be used for correlation with other rules to detect suspicious activity. +""" +from = "now-60m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS IAM Login Profile Added to User" +risk_score = 21 +rule_id = "10445cf0-0748-11ef-ba75-f661ea17fbcc" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Rule Type: BBR" +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" + and event.action: "CreateLoginProfile" and event.outcome: success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +