security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity (#4409)

Browse Source 
* new hunt 'unusual aviatrix default role activity'

* added additional investigation notes
This commit is contained in:
Terrance DeJesus
2025-01-28 12:09:29 -05:00
committed by GitHub
parent fed7b216d5
commit 4e95bc7891
4 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
+43
View File
@@ -0,0 +1,43 @@
# IAM Unusual Default Aviatrix Role Activity
---
## Metadata
- **Author:** Elastic
- **Description:** This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents.
- **UUID:** `9fe48b6e-d83a-11ef-84a6-f661ea17fbcd`
- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)
- **Language:** `[ES|QL]`
- **Source File:** [IAM Unusual Default Aviatrix Role Activity](../queries/iam_unusual_default_aviatrix_role_activity.toml)
## Query
```sql
from logs-aws.cloudtrail-*
| where @timestamp > now() - 14 day
| where event.dataset == "aws.cloudtrail"
and aws.cloudtrail.user_identity.type == "AssumedRole"
and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
| where activity_counts < 10
| sort by activity_counts asc
```
## Notes
- Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role.
- Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity.
- Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access.
- Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement.
- Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role.
- If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls.
## MITRE ATT&CK Techniques
- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
## License
- `Elastic License v2`
hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
+29
View File
@@ -0,0 +1,29 @@
[hunt]
author = "Elastic"
description = """
This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents.
"""
integration = ["aws.cloudtrail"]
uuid = "9fe48b6e-d83a-11ef-84a6-f661ea17fbcd"
name = "IAM Unusual Default Aviatrix Role Activity"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role.",
"Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity.",
"Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access.",
"Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement.",
"Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role.",
"If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls.",
]
mitre = ['T1078.004']
query = ['''
from logs-aws.cloudtrail-*
| where @timestamp > now() - 14 day
| where event.dataset == "aws.cloudtrail"
and aws.cloudtrail.user_identity.type == "AssumedRole"
and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
| where activity_counts < 10
| sort by activity_counts asc
''']
hunting/index.md
+1
View File
@@ -12,6 +12,7 @@ Here are the queries currently available:
- [High Frequency of EC2 Multi-Region `DescribeInstances` API Calls](./aws/docs/ec2_discovery_multi_region_describe_instance_calls.md) (ES|QL)
- [High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls](./aws/docs/servicequotas_discovery_multi_region_get_service_quota_calls.md) (ES|QL)
- [IAM Assume Role Creation with Attached Policy](./aws/docs/iam_assume_role_creation_with_attached_policy.md) (ES|QL)
- [IAM Unusual Default Aviatrix Role Activity](./aws/docs/iam_unusual_default_aviatrix_role_activity.md) (ES|QL)
- [IAM User Activity with No MFA Session](./aws/docs/iam_user_activity_with_no_mfa_session.md) (ES|QL)
- [Lambda Add Permissions for Write Actions to Function](./aws/docs/lambda_add_permissions_for_write_actions_to_function.md) (ES|QL)
- [Multiple Service Logging Deleted or Stopped](./aws/docs/multiple_service_logging_deleted_or_stopped.md) (ES|QL)
hunting/index.yml
+5
View File
@@ -414,6 +414,11 @@ aws:
path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml
mitre:
- T1078.004
9fe48b6e-d83a-11ef-84a6-f661ea17fbcd:
name: IAM Unusual Default Aviatrix Role Activity
path: ./aws/queries/iam_unusual_default_aviatrix_role_activity.toml
mitre:
- T1078.004
windows:
44e6adc6-e183-4bfa-b06d-db41669641fa:
name: Rundll32 Execution Aggregated by Command Line