[New rule] AWS Secrets Manager and System Manager

Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

NOTICE.txt

@@ -32,3 +32,31 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+
+---
+This product bundles rules based on https://github.com/FSecureLABS/leonidas
+which is available under a "MIT" license. The files based on this license are:
+
+- credential_access_secretsmanager_getsecretvalue.toml
+
+MIT License
+
+Copyright (c) 2020 F-Secure LABS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rules/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2020/07/06"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/06"
+
+[rule]
+author = ["Nick Jones", "Elastic"]
+description = """
+An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive
+material
+"""
+false_positives = [
+    """
+    Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified
+    SecretId. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License"
+name = "AWS Access Secret in Secrets Manager"
+references = [
+    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
+    "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
+]
+risk_score = 21
+rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
+severity = "low"
+tags = ["AWS", "Elastic"]
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/aws/execution_via_system_manager.toml

@@ -0,0 +1,63 @@
+[metadata]
+creation_date = "2020/07/06"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript,
+RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a
+compromised instance via reverse-shell using system only commands.
+"""
+false_positives = [
+    """
+    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false
+    positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License"
+name = "AWS Execution via System Manager"
+references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"]
+risk_score = 21
+rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
+severity = "low"
+tags = ["AWS", "Elastic"]
+type = "query"
+
+query = '''
+event.module:aws and event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1064"
+name = "Scripting"
+reference = "https://attack.mitre.org/techniques/T1064/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1086"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1086/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+