From 1ff26cf53eb24b3d9eb65ebba73cb439ab25e067 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Wed, 28 Aug 2024 13:42:32 -0400
Subject: [PATCH] [New Rule] New Rules AWS Multi-Region Discovery of EC2
 Instances and Quotas (#4015)

* new rules AWS EC2 discovery in multiple-regions

* adjusted query and from window

* added event providers, adjusted tags, changed file name
---
 ...y_ec2_multi_region_describe_instances.toml | 67 +++++++++++++++++
 ...s_multi_region_service_quota_requests.toml | 72 +++++++++++++++++++
 2 files changed, 139 insertions(+)
 create mode 100644 rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml
 create mode 100644 rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml

diff --git a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml
new file mode 100644
index 000000000..6840dab36
--- /dev/null
+++ b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2024/08/26"
+maturity = "production"
+updated_date = "2024/08/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second
+window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
+regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
+potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS EC2 Multi-Region DescribeInstances API Calls"
+references = [
+    "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html",
+]
+risk_score = 21
+rule_id = "393ef120-63d1-11ef-8e38-f661ea17fbce"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: AWS EC2",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-*
+
+// filter for DescribeInstances API calls
+| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"
+
+// truncate the timestamp to a 30-second window
+| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
+
+// count the number of unique regions and total API calls within the 30-second window
+| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
+
+// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
+| where region_count >= 10 and window_count >= 10
+
+// sort the results by time windows in descending order
+| sort target_time_window desc
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
new file mode 100644
index 000000000..304b46b52
--- /dev/null
+++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
@@ -0,0 +1,72 @@
+[metadata]
+creation_date = "2024/08/26"
+maturity = "production"
+updated_date = "2024/08/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a single AWS resource is making `GetServiceQuota` API calls for the EC2 service quota L-1216C47A in more
+than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by
+adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to
+discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS Service Quotas Multi-Region `GetServiceQuota` Requests"
+references = [
+    "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
+    "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html",
+]
+risk_score = 21
+rule_id = "19be0164-63d2-11ef-8e38-f661ea17fbce"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: AWS Service Quotas",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail-*
+
+// filter for GetServiceQuota API calls
+| where event.dataset == "aws.cloudtrail" and event.provider = "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
+
+// truncate the timestamp to a 30-second window
+| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
+
+// pre-process the request parameters to extract the service code and quota code
+| dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}"
+
+// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
+| where service_code == "ec2" and quota_code == "L-1216C47A"
+
+// count the number of unique regions and total API calls within the 30-second window
+| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
+
+// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
+| where region_count >= 10 and window_count >= 10
+
+// sort the results by time windows in descending order
+| sort target_time_window desc
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+