Add the rule to detect backdooring of users keys
This commit is contained in:
faloker
@@ -0,0 +1,29 @@
|
||||
title: Creation of AWS API keys for users.
|
||||
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
|
||||
status: experimental
|
||||
author: faloker
|
||||
date: 2020/02/12
|
||||
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
|
||||
references:
|
||||
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
|
||||
logsource:
|
||||
service: cloudtrail
|
||||
detection:
|
||||
selection_source:
|
||||
- eventSource: iam.amazonaws.com
|
||||
selection_eventname:
|
||||
- eventName: CreateAccessKey
|
||||
filter:
|
||||
userIdentity.arn|contains: responseElements.accessKey.userName
|
||||
condition: all of selection* and not filter
|
||||
fields:
|
||||
- userIdentity.arn
|
||||
- responseElements.accessKey.userName
|
||||
- errorCode
|
||||
- errorMessage
|
||||
level: high
|
||||
falsepositives:
|
||||
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
|
||||
- AWS API keys legitimate exchange workflows
|
||||
tags:
|
||||
- attack.t1098
|
||||
Reference in New Issue
Block a user