security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Building Block Rule - AWS IAM Login Profile Added to User (#3633)

Browse Source 
* new rule 'AWS IAM Login Profile Added to User'

* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
2024-05-14 11:10:43 -04:00
committed by GitHub
parent 2375297879
commit 608b801088
1 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
+70
View File
@@ -0,0 +1,70 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2024/04/30"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/30"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who
typically does not have one and is used only for programmatic access. This can be used to maintain access to the account
even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on
its own. It is meant to be used for correlation with other rules to detect suspicious activity.
"""
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Login Profile Added to User"
risk_score = 21
rule_id = "10445cf0-0748-11ef-ba75-f661ea17fbcc"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Use Case: Identity and Access Audit",
"Tactic: Persistence",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com"
and event.action: "CreateLoginProfile" and event.outcome: success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"