From 1b58d0640b2399e850ad6f271f1aa0db9d045ddd Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 31 Jul 2024 15:52:59 -0400 Subject: [PATCH] [New Rule] AWS EC2 Instance Console Login via Assumed Role (#3922) * [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...l_movement_ec2_instance_console_login.toml | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml new file mode 100644 index 000000000..153db90dc --- /dev/null +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -0,0 +1,82 @@ +[metadata] +creation_date = "2024/07/24" +integration = ["aws"] +maturity = "production" +updated_date = "2024/07/31" + +[rule] +author = ["Elastic"] +description = """ +Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful `ConsoleLogin` or `GetSigninToken` API call. +""" +false_positives = ["This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary."] +from = "now-6m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "eql" +license = "Elastic License v2" +name = "AWS EC2 Instance Console Login via Assumed Role" +references = [ + "https://redcanary.com/blog/aws-sts/", + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/", +] +risk_score = 73 +rule_id = "d1e5e410-3e34-412e-9b1f-dd500b3b55cd" +severity = "high" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Lateral Movement", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where event.dataset == "aws.cloudtrail" + and event.provider == "signin.amazonaws.com" + and event.action in ("ConsoleLogin", "GetSigninToken") + and event.outcome == "success" + and aws.cloudtrail.user_identity.type == "AssumedRole" + and stringContains (user.id, ":i-") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +