diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index e6165505b..412f4bd94 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -155,28 +155,18 @@ "auditd.data.a3": "keyword" }, "logs-aws.cloudtrail-*": { - "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword", - "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword", - "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword", - "aws.cloudtrail.flattened.request_parameters.roleName": "keyword", - "aws.cloudtrail.flattened.request_parameters.policyArn": "keyword", + "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp": "keyword", + "aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort": "keyword", "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword", "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm": "keyword", - "aws.cloudtrail.flattened.additional_eventdata.SSEApplied": "keyword", - "aws.cloudtrail.flattened.request_parameters.bucketName": "keyword", - "aws.cloudtrail.flattened.request_parameters.key": "keyword", "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword", "aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean", "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword", - "aws.cloudtrail.flattened.request_parameters.dryRun": "boolean", - "aws.cloudtrail.flattened.request_parameters.clientToken": "keyword", - "aws.cloudtrail.flattened.response_elements.s3BucketName": "keyword", - "aws.cloudtrail.flattened.response_elements.tableArn": "keyword", "aws.cloudtrail.flattened.request_parameters.attribute": "keyword", "aws.cloudtrail.flattened.request_parameters.reason": "keyword", "aws.cloudtrail.flattened.request_parameters.omitted": "keyword", - "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner": "keyword", - "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword" + "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword", + "aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId": "keyword" }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index 780a2f5a4..e646464c6 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,27 +2,19 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/07/09" [rule] author = ["Elastic"] description = """ -Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the -GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user -is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the -`withDecryption` parameter set to true. This is a -[NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that -detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 -days. +Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a New Terms rule that detects the first occurrence of an AWS identity accessing SecureString parameters with decryption. """ false_positives = [ """ - Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or - DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate - reason to access the parameters and that the credentials are secured. + Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate reason to access the parameters and that the credentials are secured. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -39,8 +31,8 @@ Adversaries may target SecureStrings to retrieve sensitive information such as e #### Possible Investigation Steps - **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter. -- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized. - - **User ID**: Review the `user.id` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user. +- **Verify User Identity and Access Context**: Check the `aws.cloudtrail.user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized. + - **User ID**: Review the `user.name` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user. - **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event. - **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account. - **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions. @@ -93,6 +85,22 @@ event.dataset: aws.cloudtrail ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,7 +122,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" -value = ["aws.cloudtrail.user_identity.arn"] +value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 96cbb221f..78961ffa9 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,26 +2,21 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule -detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to -common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to -VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized -access. +Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access. """ false_positives = [ """ - Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP - addresses to common remote access ports. + Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP addresses to common remote access ports. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" +interval = "5m" language = "kuery" license = "Elastic License v2" name = "Insecure AWS EC2 VPC Security Group Ingress Rule Added" @@ -83,11 +78,25 @@ event.dataset: "aws.cloudtrail" and event.provider: ec2.amazonaws.com and event.action: AuthorizeSecurityGroupIngress and event.outcome: success - and aws.cloudtrail.flattened.request_parameters.cidrIp: ("0.0.0.0/0" or "::/0") - and aws.cloudtrail.flattened.request_parameters.fromPort: ( + and aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp: ("0.0.0.0/0" or "::/0") + and aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort: ( 21 or 22 or 23 or 445 or 3389 or 5985 or 5986) ''' - +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml b/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml index 64dc33f08..d889edd26 100644 --- a/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml +++ b/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/24" integration = ["aws"] maturity = "production" -updated_date = "2025/06/10" +updated_date = "2025/07/09" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ This rule detects when a user queries AWS for deprecated Amazon Machine Images ( - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK). 3. **Validate the Query Context**: - - Inspect the `aws.cloudtrail.flattened.request_parameters` field + - Inspect the `aws.cloudtrail.request_parameters` field - Determine if the request is part of legitimate activity, such as: - Security assessments or vulnerability scans. - Maintenance or testing of legacy systems. @@ -109,7 +109,6 @@ event.dataset: "aws.cloudtrail" and event.action: "DescribeImages" and event.outcome: "success" and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true" - and aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner: * ''' [rule.investigation_fields] field_names = [ diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index 83e1e00ab..b36fc9ab4 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2025/07/10" [rule] author = ["Elastic"] @@ -144,7 +144,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" -value = ["user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"] +value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" diff --git a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml index 26486f5bf..0ac438e7e 100644 --- a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2025/06/25" +updated_date = "2025/07/10" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ This rule detects the execution of commands or scripts on EC2 instances using AW #### Possible Investigation Steps - **Identify the Target Instance**: - - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceIds` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM. - - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions. + - **Instance ID**: Review the `aws.cloudtrail.request_parameters` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM. + - **Document Used**: Check the `aws.cloudtrail.request_parameters` field, which specifies the name of the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions. - **Review User Context**: - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access. diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml index e13b71a35..421a5e865 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -2,24 +2,19 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/03/13" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to -collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by -monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when -this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days. +Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the "user.name" for the first time. """ false_positives = [ """ - Legitimate users may export DynamoDB tables for various reasons, such as data analysis or backup purposes. Ensure - that the user has the necessary permissions and that the ExportTableToPointInTime operation is authorized before - taking action. + Legitimate users may export DynamoDB tables for various reasons, such as data analysis or backup purposes. Ensure that the user has the necessary permissions and that the ExportTableToPointInTime operation is authorized before taking action. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -30,27 +25,27 @@ note = """ ## Triage and analysis This rule identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. -This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 14 days. +This is a New Terms rule that only flags when this behavior is observed for the first time. #### Possible Investigation Steps - Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the export. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user. -- Review the Source IP: Check the `source.address` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access. +- Review the Source IP: Check the `source.ip` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access. +- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key has been compromised. - Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the ExportTableToPointInTime request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being exported. -- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key is associated with a legitimate user or if it has been compromised. ### False Positive Analysis -- Historical User Actions: If the user has a history of exporting DynamoDB tables for legitimate purposes, this may not be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions. -- Automated Processes: Some automated processes or applications may perform exports on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may not be a false positive. +- Historical User Actions: If the user has a history of exporting DynamoDB tables for legitimate purposes, this may be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions. +- Automated Processes: Some automated processes or applications may perform exports on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may be a false positive. ### Response and Remediation -- Immediate Review and Reversal: If the ExportTableToPointInTime action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's account or removing their permissions. +- Immediate Review and Reversal: If the ExportTableToPointInTime action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's access keys or removing their permissions. - Investigate Compromise: If the ExportTableToPointInTime action is determined to be malicious, investigate the source and destination of the request and any potential compromise of the user's account. If the destination S3 bucket is not known, it may be a sign of data exfiltration and may require incident response. - Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources. - Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts. ### Additional Information -For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security. +For further guidance on managing and securing DynamoDB in AWS environments, refer to the [AWS DynamoDB documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security. """ references = ["https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html"] risk_score = 21 @@ -73,7 +68,7 @@ query = ''' event.dataset: "aws.cloudtrail" and event.provider: "dynamodb.amazonaws.com" and event.action: "ExportTableToPointInTime" - and aws.cloudtrail.flattened.request_parameters.dryRun: false + and event.outcome: "success" ''' @@ -99,25 +94,22 @@ reference = "https://attack.mitre.org/tactics/TA0010/" field_names = [ "@timestamp", "user.name", - "source.address", + "user_agent.original", + "source.ip", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", - "user_agent.original", "event.action", "event.outcome", + "cloud.account.id", "cloud.region", - "aws.cloudtrail.flattened.request_parameters.clientToken", - "aws.cloudtrail.flattened.response_elements.s3Bucket", - "aws.cloudtrail.flattened.response_elements.tableArn", "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" ] [rule.new_terms] field = "new_terms_fields" -value = ["aws.cloudtrail.user_identity.arn"] +value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml index 153c4a644..eeb5c02c4 100644 --- a/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml @@ -2,23 +2,19 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Identifies a high-volume of AWS S3 objects stored in a bucket using using Server-Side Encryption with Customer-Provided Keys -(SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption -keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to -extort the bucket owner for the decryption key. This is a [Threshold](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-threshold-rule) rule that flags when -this behavior is observed for a specific bucket more than 15 times in a short time-window. +Identifies a high-volume of AWS S3 objects stored in a bucket using using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a Threshold rule that triggers when this behavior is observed multiple times for a specific bucket in a short time-window. """ false_positives = [ """ Legitimate use of Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects in an S3 bucket. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -36,11 +32,11 @@ This rule identifies a high volume of objects being encrypted using Server-Side - Review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used. This could be a compromised key. 2. **Examine the Targeted Resources**: - - Check `aws.cloudtrail.flattened.request_parameters.bucketName` to identify the bucket involved. - - Analyze the object key from `aws.cloudtrail.flattened.request_parameters.key`. + - Check `aws.cloudtrail.request_parameters` to identify the bucket involved. + - Analyze the object key from `aws.cloudtrail.request_parameters`. 3. **Evaluate Encryption Behavior**: - - Confirm the encryption details in `aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm` and `aws.cloudtrail.flattened.additional_eventdata.SSEApplied`. + - Confirm the encryption details in `aws.cloudtrail.request_parameters` and `aws.cloudtrail.additional_eventdata`. - Note if `SSEApplied` is `SSE-C`, which confirms encryption using a customer-provided key. 4. **Correlate with Recent Events**: @@ -104,9 +100,24 @@ event.dataset: "aws.cloudtrail" and event.action: "PutObject" and event.outcome: "success" and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256" - and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C" ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "tls.client.server_name", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" @@ -122,7 +133,7 @@ name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] -field = ["aws.cloudtrail.flattened.request_parameters.bucketName"] +field = ["tls.client.server_name"] value = 20 diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index 818537e77..4d5f1027b 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,24 +2,19 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys -(SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption -keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to -extort the bucket owner for the decryption key. This is a [New -Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that flags when -this behavior is observed for the first time in the last 14 days by the user ARN and target bucket name. +Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a New Terms rule that flags when this behavior is observed for the first time user and target bucket name. """ false_positives = [ """ Legitimate use of Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects in an S3 bucket. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -37,11 +32,11 @@ This rule identifies the use of Server-Side Encryption with Customer-Provided Ke - Review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used. This could be a compromised key. 2. **Examine the Targeted Resources**: - - Check `aws.cloudtrail.flattened.request_parameters.bucketName` to identify the bucket involved. - - Analyze the object key from `aws.cloudtrail.flattened.request_parameters.key`. + - Check `aws.cloudtrail.request_parameters` to identify the bucket involved. + - Analyze the object key from `aws.cloudtrail.request_parameters`. 3. **Evaluate Encryption Behavior**: - - Confirm the encryption details in `aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm` and `aws.cloudtrail.flattened.additional_eventdata.SSEApplied`. + - Confirm the encryption details in `aws.cloudtrail.request_parameters` and `aws.cloudtrail.additional_eventdata`. - Note if `SSEApplied` is `SSE-C`, which confirms encryption using a customer-provided key. 4. **Correlate with Recent Events**: @@ -105,7 +100,6 @@ event.dataset: "aws.cloudtrail" and event.action: "PutObject" and event.outcome: "success" and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256" - and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C" ''' @@ -125,25 +119,23 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", - "event.action", - "event.outcome", + "source.ip", + "user_agent.original", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", - "aws.cloudtrail.flattened.request_parameters.bucketName", - "aws.cloudtrail.flattened.request_parameters.key", - "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm", - "aws.cloudtrail.flattened.additional_eventdata.SSEApplied", + "event.action", + "event.outcome", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.additional_eventdata", "aws.cloudtrail.response_elements", - "source.ip", - "user_agent.original", "cloud.region", "cloud.account.id", ] [rule.new_terms] field = "new_terms_fields" -value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.bucketName"] +value = ["cloud.account.id", "user.name", "tls.client.server_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index e8530097a..6d898c32d 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,23 +2,19 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/07/10" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying -configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or -pivot in an AWS environment. +Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. """ false_positives = [ """ - A security group may be created by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -30,44 +26,13 @@ note = """## Triage and analysis ### Investigating AWS EC2 Security Group Configuration Change -AWS EC2 Security Groups act as virtual firewalls, controlling inbound and outbound traffic to instances. Adversaries may exploit changes in these configurations to gain unauthorized access, maintain persistence, or exfiltrate data. The detection rule monitors successful modifications to security group settings, such as rule changes or new group creation, to identify potential security breaches and unauthorized access attempts. - -### Possible investigation steps - -- Review the CloudTrail logs for the specific event.dataset "aws.cloudtrail" to identify the exact changes made to the security group configuration. -- Examine the event.provider "ec2.amazonaws.com" and event.action fields to determine the type of action performed, such as "AuthorizeSecurityGroupEgress" or "ModifySecurityGroupRules", to understand the nature of the change. -- Check the event.outcome field to confirm the success of the action and correlate it with any suspicious activity or unauthorized access attempts. -- Investigate the IAM user or role associated with the change to verify if the action aligns with their typical behavior and permissions. -- Analyze the timing and context of the change to see if it coincides with any other unusual activities or alerts in the AWS environment. -- Assess the impact of the security group change on the overall security posture, including potential exposure of sensitive resources or data. -- If necessary, consult with the responsible team or individual to validate the legitimacy of the change and ensure it was authorized. - -### False positive analysis - -- Routine administrative changes to security groups by authorized personnel can trigger alerts. To manage this, maintain a list of known IP addresses and users who regularly perform these tasks and create exceptions for their activities. -- Automated scripts or tools used for infrastructure management may frequently modify security group settings. Identify these tools and exclude their actions from triggering alerts by using their specific identifiers or tags. -- Scheduled updates or deployments that involve security group modifications can result in false positives. Document these schedules and adjust the monitoring rules to account for these expected changes during specific time windows. -- Changes made by cloud service providers as part of their maintenance or updates might be flagged. Verify these changes through official communication from the provider and consider excluding them if they are part of standard operations. - -### Response and remediation - -- Immediately isolate the affected EC2 instances by removing them from the compromised security group to prevent further unauthorized access. -- Revert any unauthorized changes to the security group configurations by restoring them to their last known good state using AWS CloudTrail logs for reference. -- Conduct a thorough review of IAM roles and permissions associated with the affected security groups to ensure that only authorized personnel have the ability to modify security group settings. -- Implement additional monitoring and alerting for any future changes to security group configurations, focusing on the specific actions identified in the detection rule. -- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or related threats within the AWS environment. -- Review and update the AWS security group policies to enforce stricter rules and minimize the attack surface, ensuring that only necessary ports and protocols are allowed. -- Conduct a post-incident analysis to identify the root cause and implement measures to prevent similar incidents, such as enhancing logging and monitoring capabilities or applying stricter access controls. - -### Investigating AWS EC2 Security Group Configuration Change - This rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment. #### Possible Investigation Steps 1. **Identify the Modified Security Group**: - - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected. - - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications. + - **Security Group ID**: Check the `aws.cloudtrail.request_parameters` field to identify the specific security group affected. + - **Rule Changes**: Review `aws.cloudtrail.response_elements` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications. 2. **Review User Context**: - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account. @@ -124,31 +89,31 @@ type = "query" query = ''' event.dataset: "aws.cloudtrail" - and event.provider: "ec2.amazonaws.com" - and event.action:( + and event.provider: "ec2.amazonaws.com" and event.outcome: "success" + and (event.action:( + "AuthorizeSecurityGroupIngress" or "AuthorizeSecurityGroupEgress" or "CreateSecurityGroup" or - "ModifyInstanceAttribute" or "ModifySecurityGroupRules" or "RevokeSecurityGroupEgress" or - "RevokeSecurityGroupIngress") - and event.outcome: "success" + "RevokeSecurityGroupIngress") or + (event.action: "ModifyInstanceAttribute" and aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId:*)) ''' [rule.investigation_fields] field_names = [ "@timestamp", "user.name", + "user_agent.original", + "source.ip", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", - "user_agent.original", - "aws.cloudtrail.flattened.request_parameters.instanceId", + "aws.cloudtrail.user_identity.access_key_id", "event.action", "event.outcome", + "cloud.account.id", "cloud.region", - "event.provider", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements" + "aws.cloudtrail.request_parameters" ] diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 075d1cdf2..9768c1fe6 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,29 +2,21 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2025/01/10" +min_stack_comments = "New fields added: actor.entity.id and target.entity.id" +min_stack_version = "8.16.5" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or -unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting -specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging -cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized -access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the -AWS environment. This is a [New -Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that uses the -`aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.flattened.request_parameters.roleName` fields to check if the -combination of the actor ARN and target role name has not been seen in the last 14 days. +Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "target.entity.id" fields to check if the combination of the actor identity and target role name has not been seen before. """ false_positives = [ """ - Legitimate IAM administrators may attach customer-managed policies to roles for various reasons, such as granting - temporary permissions or updating existing policies. Ensure that the user attaching the policy is authorized to do - so and that the action is expected. + Legitimate IAM administrators may attach customer-managed policies to roles for various reasons, such as granting temporary permissions or updating existing policies. Ensure that the user attaching the policy is authorized to do so and that the action is expected. """, ] -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -39,14 +31,14 @@ This rule detects when a customer-managed IAM policy is attached to a role by an - **Identify the Initiating User and Target Role**: - **User Identity**: Examine the `aws.cloudtrail.user_identity.arn` field to determine the user who initiated the policy attachment. Confirm if this user typically has permissions to modify IAM roles and if their activity is consistent with their usual responsibilities. - - **Target Role**: Review `aws.cloudtrail.flattened.request_parameters.roleName` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment. + - **Target Role**: Review `target.entity.id` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment. - **Analyze the Attached Policy**: - - **Policy ARN**: Inspect the `aws.cloudtrail.flattened.request_parameters.policyArn` field to identify the specific customer-managed policy attached to the role. Evaluate if this policy grants sensitive permissions, especially permissions that could enable privileged actions or data access. + - **Policy ARN**: Inspect the `aws.cloudtrail.request_parameters` field to identify the specific customer-managed policy attached to the role. Evaluate if this policy grants sensitive permissions, especially permissions that could enable privileged actions or data access. - **Policy Permissions**: Examine the policy content to determine the scope of permissions granted. Policies enabling actions like `s3:*`, `ec2:*`, or `iam:*` could be leveraged for broader access, persistence, or lateral movement. - **Review Source and User Agent Details**: - - **Source IP and Location**: Analyze the `source.address` and `source.geo` fields to confirm the IP address and geographic location where the policy attachment originated. Verify if this matches expected locations for the initiating user. + - **Source IP and Location**: Analyze the `source.ip` and `source.geo` fields to confirm the IP address and geographic location where the policy attachment originated. Verify if this matches expected locations for the initiating user. - **User Agent Analysis**: Examine `user_agent.original` to determine if AWS CLI, SDK, or other tooling was used to perform this action. Tool identifiers like `aws-cli` or `boto3` may indicate automation, while others may suggest interactive sessions. - **Evaluate Anomalous Behavior Patterns**: @@ -54,7 +46,7 @@ This rule detects when a customer-managed IAM policy is attached to a role by an - **Role Modification History**: Investigate if the targeted role is frequently modified by this or other users. Repeated, unauthorized modifications to a role could signal an attempt to maintain elevated access. - **Correlate with Related CloudTrail Events**: - - **Other IAM or CloudTrail Activities**: Look for recent actions associated with the same user or role by reviewing `event.action` by `event.provider` to identify which AWS services were accessed. This may provide context on the user’s intent or additional actions taken. + - **Other IAM or CloudTrail Activities**: Look for recent actions associated with the same user or role by reviewing `event.action` and `event.provider` to identify which AWS services were accessed. This may provide context on the user’s intent or additional actions taken. - **Broader Suspicious Patterns**: Identify if similar anomalous events have recently occurred, potentially suggesting a coordinated or escalating attack pattern within the AWS account. ### False Positive Analysis @@ -94,23 +86,22 @@ event.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "AttachRolePolicy" and event.outcome: "success" - and not aws.cloudtrail.flattened.request_parameters.policyArn: arn\:aws\:iam\:\:aws\:policy* + and not related.entity: arn\:aws\:iam\:\:aws\:policy* ''' [rule.investigation_fields] field_names = [ "@timestamp", "user.name", - "source.address", + "user_agent.original", + "source.ip", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", - "user_agent.original", - "aws.cloudtrail.flattened.request_parameters.policyArn", - "aws.cloudtrail.flattened.request_parameters.roleName", + "target.entity.id", "event.action", "event.outcome", + "cloud.account.id", "cloud.region", - "event.provider", "aws.cloudtrail.request_parameters" ] @@ -134,7 +125,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.roleName"] +value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index 987aca6a9..7ee7cc9ef 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,12 +2,14 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2025/06/12" +min_stack_comments = "New fields added: actor.entity.id and target.entity.id" +min_stack_version = "8.16.5" +updated_date = "2025/07/10" [rule] author = ["Elastic"] description = """ -Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days. +Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "target.entity.id" fields, that have not been seen making this API request. """ false_positives = [ """ @@ -32,7 +34,7 @@ The role trust policy is a JSON document in which you define the principals you - Review the `aws.cloudtrail.user_identity.arn` to determine the IAM User that performed the action. - If an AssumedRole identity type performed the action review the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field to determine which role was used. -- Review the `aws.cloudtrail.flattened.request_parameters.roleName` field to confirm the role that was updated. +- Review the `target.entity.id` field to confirm the role that was updated. - Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy. - If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised. - Identify the user account that performed the action and whether it should perform this kind of action. @@ -97,7 +99,6 @@ field_names = [ "source.ip", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.user_identity.access_key_id", "target.entity.id", "event.action", @@ -125,7 +126,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.roleName"] +value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d"