diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 84cc5dad3..994f9913c 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -149,7 +149,8 @@ }, "logs-aws.cloudtrail-*": { "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword", - "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword" + "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword", + "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword" }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword" diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml similarity index 50% rename from rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml rename to rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 9b150497c..7d54a0140 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,11 +2,11 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/16" [rule] -author = ["Austin Songer"] -description = "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target." +author = ["Elastic", "Austin Songer"] +description = "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges." false_positives = [ """ SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or @@ -14,64 +14,53 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" -name = "AWS SAML Activity" +name = "AWS IAM SAML Provider Updated" note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", ] -risk_score = 21 +risk_score = 47 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" -severity = "low" +severity = "medium" tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS IAM", "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or -UpdateSAMLProvider) and event.outcome:success +event.dataset:aws.cloudtrail + and event.provider: iam.amazonaws.com + and event.action: UpdateSAMLProvider + and event.outcome:success ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml similarity index 59% rename from rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml rename to rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml index a9ae9733a..2ff90e214 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml @@ -4,17 +4,25 @@ integration = ["aws"] maturity = "production" updated_date = "2024/07/23" + [rule] -author = ["Austin Songer"] +author = ["Elastic", "Austin Songer"] description = """ -Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access -AWS resources. An adversary could use those credentials to move laterally and escalate privileges. +Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain +temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege +escalation. """ -false_positives = ["Automated processes that use Terraform may lead to false positives."] +false_positives = [ + "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.", + "Applications integrated with AWS might assume roles to access AWS resources.", + """ + Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments. + """, +] index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" -name = "AWS Security Token Service (STS) AssumeRole Usage" +name = "AWS STS Temporary Credentials via AssumeRole" note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" @@ -31,11 +39,14 @@ tags = [ "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and -aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success +event.dataset:aws.cloudtrail + and event.provider:sts.amazonaws.com + and event.action:AssumeRole* + and event.outcome:success + and user.id:* ''' @@ -69,3 +80,11 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[rule.new_terms] +field = "new_terms_fields" +value = ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" + + diff --git a/tests/test_specific_rules.py b/tests/test_specific_rules.py index bb7f0334f..2236745a4 100644 --- a/tests/test_specific_rules.py +++ b/tests/test_specific_rules.py @@ -17,6 +17,7 @@ from detection_rules.integrations import ( load_integrations_manifests, load_integrations_schemas, ) +from detection_rules import ecs from detection_rules.config import load_current_package_version from detection_rules.packaging import current_stack_version from detection_rules.rule import QueryValidator @@ -123,6 +124,8 @@ class TestNewTerms(BaseRuleTest): # checks if new terms field(s) are in ecs, beats non-ecs or integration schemas queryvalidator = QueryValidator(rule.contents.data.query) _, _, schema = queryvalidator.get_beats_schema([], beats_version, ecs_version) + for index_name in rule.contents.data.index: + schema.update(**ecs.flatten(ecs.get_index_schema(index_name))) integration_manifests = load_integrations_manifests() integration_schemas = load_integrations_schemas() integration_tags = meta.get("integration")