[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role

[terrancedejesus]

Issues

• https://github.com/elastic/ia-trade-team/issues/358

Summary

Identifies the first occurrence of a user identity in AWS using GetPassword for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.

This is a New Terms rule, which means it will only trigger once for each unique value of the aws.cloudtrail.user_identity.session_context.session_issuer.arn field that has not beein seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.

API Reference: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html

Example Data

{
  "_index": ".ds-logs-aws.cloudtrail-default-2024.04.09-000001",
  "_id": "d69fa25096-000000002808",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "name": "ip-172-31-95-103",
      "id": "f14d530d-b7f2-4dbd-b122-28582c2a767c",
      "ephemeral_id": "69b4fa20-756a-4d41-8325-7613b13a01b2",
      "type": "filebeat",
      "version": "8.13.2"
    },
    "log": {
      "file": {
        "path": "https://asperitas-security-logs.s3.us-east-1.amazonaws.com/AWSLogs/891377031307/CloudTrail/us-east-1/2024/04/12/891377031307_CloudTrail_us-east-1_20240412T1610Z_xNoCUqnocXs3yZ7n.json.gz"
      },
      "offset": 2808
    },
    "elastic_agent": {
      "id": "f14d530d-b7f2-4dbd-b122-28582c2a767c",
      "version": "8.13.2",
      "snapshot": false
    },
    "source": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-OH",
        "city_name": "Massillon",
        "country_iso_code": "US",
        "country_name": "United States",
        "region_name": "Ohio",
        "location": {
          "lon": xxxx,
          "lat": xxxxx
        }
      },
      "as": {
        "number": 12097,
        "organization": {
          "name": "MASSCOM"
        }
      },
      "address": "xxxx",
      "ip": "xxxx"
    },
    "tags": [
      "preserve_original_event",
      "forwarded",
      "aws-cloudtrail"
    ],
    "cloud": {
      "region": "us-east-1",
      "account": {
        "id": "xxxx"
      }
    },
    "input": {
      "type": "aws-s3"
    },
    "@timestamp": "2024-04-12T16:05:35.000Z",
    "ecs": {
      "version": "8.0.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "aws.cloudtrail"
    },
    "tls": {
      "cipher": "TLS_AES_128_GCM_SHA256",
      "client": {
        "server_name": "ec2.us-east-1.amazonaws.com"
      },
      "version": "1.3",
      "version_protocol": "tls"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-04-12T16:10:02Z",
      "original": "xxx"
      "provider": "ec2.amazonaws.com",
      "created": "2024-04-12T16:09:52.446Z",
      "kind": "event",
      "action": "GetPasswordData",
      "id": "a5a11749-89c2-43c8-a8bb-a505d8ba7bf2",
      "type": [
        "info"
      ],
      "dataset": "aws.cloudtrail",
      "outcome": "failure"
    },
    "aws": {
      "s3": {
        "bucket": {
          "name": "asperitas-security-logs",
          "arn": "arn:aws:s3:::asperitas-security-logs"
        },
        "object": {
          "key": "AWSLogs/xxxx/CloudTrail/us-east-1/2024/04/12/xxxx_CloudTrail_us-east-1_20240412T1610Z_xNoCUqnocXs3yZ7n.json.gz"
        }
      },
      "cloudtrail": {
        "event_version": "1.09",
        "error_message": "x",
        "flattened": {
          "request_parameters": {
            "instanceId": "i-ve9smuho0o99gu0e"
          }
        },
        "event_type": "AwsApiCall",
        "read_only": true,
        "user_identity": {
          "access_key_id": "ASIA47CRWDCFZTJTTZ5N",
          "session_context": {
            "session_issuer": {
              "account_id": "xxxxx",
              "type": "Role",
              "arn": "arn:aws:iam::xxxx:role/stratus-red-team-ec2-get-password-data-role",
              "principal_id": "AROA47CRWDCF54MZ4BOTM"
            },
            "mfa_authenticated": "false",
            "creation_date": "2024-04-12T16:05:34.000Z"
          },
          "type": "AssumedRole",
          "arn": "arn:aws:sts::xxxx:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1712937933604364000"
        },
        "error_code": "Client.UnauthorizedOperation",
        "recipient_account_id": "xxxx",
        "event_category": "Management",
        "request_parameters": "{instanceId=i-ve9smuho0o99gu0e}",
        "request_id": "d798fb97-2500-454b-a753-63833660ecdf",
        "management_event": true
      }
    },
    "user": {
      "name": "stratus-red-team-ec2-get-password-data-role",
      "id": "xxxx:aws-go-sdk-1712937933604364000"
    },
    "user_agent": {
      "original": "stratus-red-team_cb8f5bb4-78bd-4242-a13d-61eaa7ab6b8a",
      "name": "Other",
      "device": {
        "name": "Other"
      }
    }
  },
  "fields": {
    "aws.cloudtrail.request_parameters.text": [
      "{instanceId=i-ve9smuho0o99gu0e}"
    ],
    "elastic_agent.version": [
      "8.13.2"
    ],
    "tls.version_protocol": [
      "tls"
    ],
    "user_agent.original.text": [
      "stratus-red-team_cb8f5bb4-78bd-4242-a13d-61eaa7ab6b8a"
    ],
    "agent.name.text": [
      "ip-172-31-95-103"
    ],
    "source.geo.region_name": [
      "Ohio"
    ],
    "aws.cloudtrail.user_identity.session_context.creation_date": [
      "2024-04-12T16:05:34.000Z"
    ],
    "source.ip": [
      "x.x.x.x"
    ],
    "agent.name": [
      "ip-172-31-95-103"
    ],
    "aws.cloudtrail.user_identity.session_context.session_issuer.account_id": [
      "xxxx"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "source.geo.region_iso_code": [
      "US-OH"
    ],
    "aws.cloudtrail.management_event": [
      "true"
    ],
    "event.kind": [
      "event"
    ],
    "aws.cloudtrail.user_identity.arn": [
      "arn:aws:sts::xxxx:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1712937933604364000"
    ],
    "event.outcome": [
      "failure"
    ],
    "source.geo.city_name": [
      "Massillon"
    ],
    "tls.version": [
      "1.3"
    ],
    "user_agent.original": [
      "stratus-red-team_cb8f5bb4-78bd-4242-a13d-61eaa7ab6b8a"

    ],
    "aws.cloudtrail.user_identity.session_context.session_issuer.principal_id": [
      "x"
    ],
    "cloud.region": [
      "us-east-1"
    ],
    "user.id": [
      "x:aws-go-sdk-1712937933604364000"
    ],
    "input.type": [
      "aws-s3"
    ],
    "log.offset": [
      2808
    ],
    "user_agent.name": [
      "Other"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "aws-cloudtrail"
    ],
    "event.provider": [
      "ec2.amazonaws.com"
    ],
    "agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-04-12T16:09:52.446Z"
    ],
    "aws.cloudtrail.event_version": [
      "1.09"
    ],
    "agent.version": [
      "8.13.2"
    ],
    "source.as.number": [
      12097
    ],
    "aws.cloudtrail.read_only": [
      true
    ],
    "aws.cloudtrail.event_category": [
      "Management"
    ],
    "aws.cloudtrail.user_identity.type": [
      "AssumedRole"
    ],
    "aws.s3.bucket.arn": [
      "arn:aws:s3:::asperitas-security-logs"
    ],
    "aws.cloudtrail.recipient_account_id": [
      "x"
    ],
    "aws.cloudtrail.user_identity.session_context.mfa_authenticated": [
      "false"
    ],
    "aws.cloudtrail.request_id": [
      "d798fb97-2500-454b-a753-63833660ecdf"
    ],
    "tls.cipher": [
      "TLS_AES_128_GCM_SHA256"
    ],
    "user.name": [
      "stratus-red-team-ec2-get-password-data-role"
    ],
    "source.geo.location": [
      {
        "coordinates": [
          x,x
        ],
        "type": "Point"
      }
    ],
    "aws.cloudtrail.user_identity.session_context.session_issuer.type": [
      "Role"
    ],
    "source.address": [
      "x.x.x.x"
    ],
    "aws.cloudtrail.flattened.request_parameters": [
      {
        "instanceId": "i-ve9smuho0o99gu0e"
      }
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "aws"
    ],
    "source.geo.country_iso_code": [
      "US"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "aws.cloudtrail.event_type": [
      "AwsApiCall"
    ],
    "aws.s3.bucket.name": [
      "asperitas-security-logs"
    ],
    "source.as.organization.name.text": [
      "MASSCOM"
    ],
    "elastic_agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "source.as.organization.name": [
      "MASSCOM"
    ],
    "source.geo.continent_name": [
      "North America"
    ],
    "aws.cloudtrail.user_identity.session_context.session_issuer.arn": [
      "arn:aws:iam::891377031307:role/stratus-red-team-ec2-get-password-data-role"
    ],
    "aws.cloudtrail.error_message": [
      "You are not authorized to perform this operation. User: arn:aws:sts::891377031307:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1712937933604364000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:us-east-1:891377031307:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: TZsEO7v0YZ6Qk4-PRuGNxh3fSWJ-JguLyE56-Y3yYZ-fAZlmdOy94H2dHrZ1xGyos4qQBDxGJIq-Cozf0arl8S2Q6vS0EnubWAJohhambiKcB6qalMGMtn-YsKKy6_gGwfZ0z89oo8VFWfSeuRrJ7A4cBHfSMzeVYjPvMGUtghY95SjblWxc7L38vGGkoDR3FMjUdq4cNFzvADgerUMrVzxFPjaQODlmvnwncl4wrZPamtauLg7gGD-Y1dKRobeVaR7JLFNyLYhERJsfx3hW_ZUbFZYDQ_lxoKtz6bKMoh2hh5QcmLkLhkyWCEWkxPU4eL_2eudKCWdmyUhBYgwdX76e60bOn37cmx8st-0Zy6sN9V507Vc0cKYulZsBuqyhoG6A-GviFuKe1lTmShPTDkwz3ZiGGwtuPOWc-KwO_tezPr1yGGLzqj9mYokuL26flWEB5IxfYj6bYc51g6CohcF7S8nQrOSSHoaagQat_SWuzbllqlDxFtwAOtBe-Ex2XH1d_h5H6Wnhc6A_1ZlSbWsCfhpOPr7XBfrUKi54xHf5jiUqGHvQgfsEkeMydxt40UlO5YrslQ"
    ],
    "tls.client.server_name": [
      "ec2.us-east-1.amazonaws.com"
    ],
    "event.action": [
      "GetPasswordData"
    ],
    "event.ingested": [
      "2024-04-12T16:10:02.000Z"
    ],
    "@timestamp": [
      "2024-04-12T16:05:35.000Z"
    ],
    "cloud.account.id": [
      "891377031307"
    ],
    "aws.cloudtrail.user_identity.access_key_id": [
      "ASIA47CRWDCFZTJTTZ5N"
    ],
    "data_stream.dataset": [
      "aws.cloudtrail"
    ],
    "event.type": [
      "info"
    ],
    "log.file.path": [
      "https://asperitas-security-logs.s3.us-east-1.amazonaws.com/AWSLogs/891377031307/CloudTrail/us-east-1/2024/04/12/891377031307_CloudTrail_us-east-1_20240412T1610Z_xNoCUqnocXs3yZ7n.json.gz"
    ],
    "aws.cloudtrail.error_code": [
      "Client.UnauthorizedOperation"
    ],
    "agent.ephemeral_id": [
      "69b4fa20-756a-4d41-8325-7613b13a01b2"
    ],
    "aws.cloudtrail.request_parameters": [
      "{instanceId=i-ve9smuho0o99gu0e}"
    ],
    "event.id": [
      "a5a11749-89c2-43c8-a8bb-a505d8ba7bf2"
    ],
    "source.geo.country_name": [
      "United States"
    ],
    "user_agent.device.name": [
      "Other"
    ],
    "aws.s3.object.key": [
      "AWSLogs/891377031307/CloudTrail/us-east-1/2024/04/12/891377031307_CloudTrail_us-east-1_20240412T1610Z_xNoCUqnocXs3yZ7n.json.gz"
    ],
    "event.dataset": [
      "aws.cloudtrail"
    ],
    "user.name.text": [
      "stratus-red-team-ec2-get-password-data-role"
    ]
  }
}

[terrancedejesus]

Change description to focus on Administrator password for EC2.

[imays11]

Nice rule!

[Samirbous]

GetPasswordData with aws.cloudtrail.error_code:"Client.UnauthorizedOperation" looks more suspicious but may fit in a different rule.

[terrancedejesus]

That is a good point. The tricky part with only signaling on unauthorized activity is the nature of adversaries leveraging valid accounts to conduct their TTPs. Always have to find a balance. I think in this case, with the Assumed Role we may catch an opportunist attempting to survey EC2 instances for credential access. Added to the logic!