From 0b64638bf7949f703b15a992425375bef72efeb7 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:29:02 -0400 Subject: [PATCH] [New Rule] AWS Credentials Searched For Inside a Container (#2887) * new rule toml * Updated query updated query based on review and added additional search queries * updated rule query based on review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...s_aws_creds_search_inside_a_container.toml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml new file mode 100644 index 000000000..4311d3809 --- /dev/null +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/06/28" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/28" + +[rule] +author = ["Elastic"] +description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "AWS Credentials Searched For Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", +] +risk_score = 47 +rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" +severity = "medium" +timestamp_override = "event.ingested" +type = "eql" + +query = """ +process where event.module == "cloud_defend" and + event.type == "start" and + +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ +(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and +process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" + + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" + + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files"