security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] AWS Credentials Searched For Inside a Container (#2887)

Browse Source 
* new rule toml

* Updated query

updated query based on review and added additional search queries

* updated rule query based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Isai
2023-07-17 12:29:02 -04:00
committed by GitHub
parent 0f5b5a3551
commit 0b64638bf7
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2023/06/28"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment."
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "AWS Credentials Searched For Inside A Container"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
references = [
"https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
]
risk_score = 47
rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
severity = "medium"
timestamp_override = "event.ingested"
type = "eql"
query = """
process where event.module == "cloud_defend" and
event.type == "start" and
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"
[[rule.threat.technique]]
id = "T1552"
reference = "https://attack.mitre.org/techniques/T1552/"
name = "Unsecured Credentials"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
reference = "https://attack.mitre.org/techniques/T1552/001/"
name = "Credentials In Files"