From 25733e1d674584eead79d3c3f219763450fb0691 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 15 Oct 2021 13:56:10 -0500 Subject: [PATCH] [New Rule] AWS STS AssumeRole Usage (#1214) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan (cherry picked from commit d7eab5bbf3d0413b57042d1e7c37635af6826c36) --- ...ilege_escalation_sts_assumerole_usage.toml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml new file mode 100644 index 000000000..c71e33e4d --- /dev/null +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2021/05/17" +maturity = "production" +updated_date = "2021/10/05" +integration = "aws" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access +AWS resources. An adversary could use those credentials to move laterally and escalate privileges. +""" +false_positives = [ + """ + Automated processes that uses Terraform may lead to false positives. + """, +] +index = ["filebeat-*", "logs-aws*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS Security Token Service (STS) AssumeRole Usage" +references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"] +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +risk_score = 21 +rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and +aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"