[New Rule] Building Block Rule - Attempt to Retrieve User Data from AWS EC2 Instance (#3593)
* adding new rule 'Attempt to Retrieve User Data from AWS EC2 Instance'
* Update rules_building_block/discovery_userdata_request_from_ec2_instance.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
(cherry picked from commit 3b994c1133)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
2691273c93
commit
a25d3cd23a
@@ -0,0 +1,62 @@
|
||||
[metadata]
|
||||
creation_date = "2024/04/14"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2024/04/14"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
building_block_type = "default"
|
||||
description = """
|
||||
Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
|
||||
logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
|
||||
gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that
|
||||
does not generate an alert on its own, but serves as a signal for anomalous activity.
|
||||
"""
|
||||
from = "now-119m"
|
||||
index = ["filebeat-*", "logs.aws.cloudtrail-*"]
|
||||
interval = "60m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Retrieve User Data from AWS EC2 Instance"
|
||||
references = [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
|
||||
"https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: Amazon EC2",
|
||||
"Use Case: Log Auditing",
|
||||
"Tactic: Discovery",
|
||||
"Rule Type: BBR"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail
|
||||
and event.action:DescribeInstanceAttribute
|
||||
and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1580"
|
||||
name = "Cloud Infrastructure Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1580/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
Reference in New Issue
Block a user