From 01d2f9f99d07678807f652b159aee0807ce5cb0c Mon Sep 17 00:00:00 2001
From: faloker <faloker@tuta.io>
Date: Wed, 12 Feb 2020 22:22:38 +0200
Subject: [PATCH] Add the rule to detect backdooring of users keys

---
 rules/cloud/aws_iam_backdoor_users_keys.yml | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/cloud/aws_iam_backdoor_users_keys.yml

diff --git a/rules/cloud/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws_iam_backdoor_users_keys.yml
new file mode 100644
index 000000000..0b5fa4af0
--- /dev/null
+++ b/rules/cloud/aws_iam_backdoor_users_keys.yml
@@ -0,0 +1,29 @@
+title: Creation of AWS API keys for users.
+id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
+references:
+  - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
+logsource:
+  service: cloudtrail
+detection:
+  selection_source:
+    - eventSource: iam.amazonaws.com
+  selection_eventname:
+    - eventName: CreateAccessKey
+  filter:
+    userIdentity.arn|contains: responseElements.accessKey.userName
+  condition: all of selection* and not filter
+fields:
+  - userIdentity.arn
+  - responseElements.accessKey.userName
+  - errorCode
+  - errorMessage
+level: high
+falsepositives:
+    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
+    - AWS API keys legitimate exchange workflows
+tags:
+  - attack.t1098
\ No newline at end of file