diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 83df4742c..6849770a8 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -150,7 +150,8 @@ "logs-aws.cloudtrail-*": { "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword", "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword", - "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword" + "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword", + "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword" }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index c9d1fb8a1..39e4c59dd 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/25" [rule] author = ["Elastic", "Austin Songer"] @@ -80,6 +80,7 @@ tags = [ "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact", + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" @@ -101,4 +102,19 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml new file mode 100644 index 000000000..c4dcc60e1 --- /dev/null +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -0,0 +1,106 @@ +[metadata] +creation_date = "2024/10/25" +integration = ["aws"] +maturity = "production" +updated_date = "2024/10/25" + + +[rule] +author = ["Elastic"] +description = """ +Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). +While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation. +""" +false_positives = [ + "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.", +] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS STS AssumeRole with New MFA Device" +note = """## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/RhinoSecurityLabs/cloudgoat/blob/d5863b80afd082d853f2e8df1955c6393695a4da/scenarios/iam_privesc_by_key_rotation/README.md", +] +risk_score = 21 +rule_id = "a22f566b-5b23-4412-880d-c6c957acd321" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Tactic: Lateral Movement", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:aws.cloudtrail + and event.provider:sts.amazonaws.com + and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity) + and event.outcome:success + and user.id:* + and aws.cloudtrail.flattened.request_parameters.serialNumber:* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" + +