[Rule Tuning] December-January AWS Rule Tuning (#4425)
* [Rule Tuning] AWS Monthly Rule Tunings * Adding several more AWS tunings * updating patch version * updating non-ecs type to boolean * fixed cloudtrail index
This commit is contained in:
Terrance DeJesus
@@ -162,7 +162,9 @@
|
||||
"aws.cloudtrail.flattened.additional_eventdata.SSEApplied": "keyword",
|
||||
"aws.cloudtrail.flattened.request_parameters.bucketName": "keyword",
|
||||
"aws.cloudtrail.flattened.request_parameters.key": "keyword",
|
||||
"aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword"
|
||||
"aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword",
|
||||
"aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean",
|
||||
"aws.cloudtrail.flattened.request_parameters.instanceId": "keyword"
|
||||
},
|
||||
"logs-azure.signinlogs-*": {
|
||||
"azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "0.4.3"
|
||||
version = "0.4.4"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
+2
-1
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
updated_date = "2025/01/22"
|
||||
|
||||
[rule]
|
||||
author = ["Nick Jones", "Elastic"]
|
||||
@@ -53,6 +53,7 @@ This rule looks for the retrieval of credentials using `GetSecretValue` action i
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Review `user.id` values for expected ARNs. If this is an expected behavior, consider adding exceptions to the rule.
|
||||
- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
+9
-5
@@ -2,7 +2,7 @@
|
||||
creation_date = "2024/04/12"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/10"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,7 +23,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail*"]
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
|
||||
@@ -40,6 +40,7 @@ Adversaries may target SecureStrings to retrieve sensitive information such as e
|
||||
|
||||
- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
|
||||
- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
|
||||
- **User ID**: Review the `user.id` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user.
|
||||
- **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
|
||||
- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
|
||||
- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
|
||||
@@ -47,6 +48,7 @@ Adversaries may target SecureStrings to retrieve sensitive information such as e
|
||||
### False Positive Analysis
|
||||
|
||||
- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
|
||||
- **Authorized Access**: Ensure that the user or role has a legitimate reason to access the SecureString parameters and that the access is part of their expected job responsibilities.
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
@@ -84,7 +86,11 @@ event.dataset: aws.cloudtrail
|
||||
and event.provider: "ssm.amazonaws.com"
|
||||
and event.action: (GetParameters or GetParameter)
|
||||
and event.outcome: success
|
||||
and aws.cloudtrail.request_parameters: *withDecryption=true*
|
||||
and aws.cloudtrail.flattened.request_parameters.withDecryption: true
|
||||
and not source.address: (
|
||||
"cloudformation.amazonaws.com" or
|
||||
"servicecatalog.amazonaws.com"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -112,5 +118,3 @@ value = ["aws.cloudtrail.user_identity.arn"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-10d"
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,142 @@
|
||||
[metadata]
|
||||
creation_date = "2024/04/14"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
|
||||
logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
|
||||
gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is
|
||||
a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule that
|
||||
identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific
|
||||
`aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS EC2 User Data Retrieval for EC2 Instance"
|
||||
note = """
|
||||
## Triage and Analysis
|
||||
|
||||
### Investigating AWS EC2 User Data Retrieval for EC2 Instance
|
||||
|
||||
This rule detects requests to retrieve the `userData` attribute of an EC2 instance using the `DescribeInstanceAttribute` API action. The `userData` field can contain sensitive information, such as hardcoded credentials or configuration scripts, that adversaries may exploit for further attacks.
|
||||
|
||||
#### Possible Investigation Steps
|
||||
|
||||
- **Identify the Target Instance**:
|
||||
- **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceId` field to identify the EC2 instance targeted by the request. Confirm whether this instance should expose its `userData` and whether it is associated with sensitive workloads.
|
||||
- **Analyze userData**: If possible, retrieve and inspect the `userData` field to identify sensitive information like hardcoded credentials or configuration scripts.
|
||||
|
||||
- **Review User Context**:
|
||||
- **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions.
|
||||
- **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior.
|
||||
- **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised.
|
||||
|
||||
- **Analyze Request Details**:
|
||||
- **Parameters**: Verify that the `attribute=userData` parameter was explicitly requested. This indicates intentional access to user data.
|
||||
- **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity.
|
||||
|
||||
- **Review Source Tool**:
|
||||
- **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent.
|
||||
|
||||
- **Check for Related Activity**:
|
||||
- **IAM Changes**: Correlate this event with any IAM changes or temporary credential creation to identify potential privilege escalation attempts.
|
||||
- **API Usage**: Look for other unusual API calls (e.g., `RunInstances`, `GetObject`, `AssumeRole`) by the same user or IP to detect lateral movement or data exfiltration attempts.
|
||||
|
||||
- **Validate Intent**:
|
||||
- **Permissions and Justification**: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the `userData` field.
|
||||
|
||||
### False Positive Analysis
|
||||
|
||||
- **Automation**: This event is often triggered by legitimate automation tools, such as Terraform or custom scripts, that require access to `userData` during instance initialization.
|
||||
- **Maintenance Activity**: Verify whether this event aligns with expected administrative activities, such as debugging or instance configuration updates.
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
- **Revoke Excessive Permissions**: If unauthorized, immediately remove `DescribeInstanceAttribute` permissions from the user or role.
|
||||
- **Quarantine the Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance to limit further exposure.
|
||||
- **Secure User Data**:
|
||||
- Avoid storing sensitive information, such as credentials, in `userData`. Use AWS Secrets Manager or Parameter Store instead.
|
||||
- Encrypt user data and ensure only authorized users can decrypt it.
|
||||
- **Audit IAM Policies**: Regularly review IAM policies to ensure they adhere to the principle of least privilege.
|
||||
- **Monitor and Detect**: Set up additional alerts for unexpected `DescribeInstanceAttribute` calls or other suspicious API activity.
|
||||
|
||||
### Additional Information
|
||||
|
||||
For more details on managing EC2 user data securely, refer to the [AWS EC2 User Data Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).
|
||||
"""
|
||||
references = [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
|
||||
"https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: Amazon EC2",
|
||||
"Resources: Investigation Guide",
|
||||
"Use Case: Log Auditing",
|
||||
"Tactic: Discovery",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ec2.amazonaws.com"
|
||||
and event.action: "DescribeInstanceAttribute"
|
||||
and event.outcome: "success"
|
||||
and aws.cloudtrail.request_parameters: (*attribute=userData* and *instanceId*)
|
||||
and not aws.cloudtrail.user_identity.invoked_by: (
|
||||
"AWS Internal" or
|
||||
"cloudformation.amazonaws.com"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1580"
|
||||
name = "Cloud Infrastructure Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1580/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1552"
|
||||
name = "Unsecured Credentials"
|
||||
reference = "https://attack.mitre.org/techniques/T1552/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1552.005"
|
||||
name = "Cloud Instance Metadata API"
|
||||
reference = "https://attack.mitre.org/techniques/T1552/005/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.instanceId"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/07/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/10"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -97,6 +97,11 @@ event.dataset: "aws.cloudtrail"
|
||||
and event.action: "SendCommand"
|
||||
and event.outcome: "success"
|
||||
and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*
|
||||
and not source.address: (
|
||||
"ssm-guiconnect.amazonaws.com" or
|
||||
"ssm.amazonaws.com" or
|
||||
"inspector2.amazonaws.com"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,143 @@
|
||||
[metadata]
|
||||
creation_date = "2021/06/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
description = """
|
||||
Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or
|
||||
association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain
|
||||
persistence in a compromised environment. This is a [New
|
||||
Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule that detects the
|
||||
first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 10 days.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
|
||||
and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
|
||||
should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
|
||||
automated processes that use Terraform may lead to false positives.
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS EC2 Route Table Modified or Deleted"
|
||||
note = """
|
||||
## Triage and Analysis
|
||||
|
||||
### Investigating AWS EC2 Route Table Modified or Deleted
|
||||
|
||||
This rule detects modifications or deletions of AWS route tables using actions such as `ReplaceRoute`, `ReplaceRouteTableAssociation`, `DeleteRouteTable`, `DeleteRoute`, or `DisassociateRouteTable`. These actions may indicate legitimate administrative activity, but they can also be abused by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment.
|
||||
|
||||
#### Possible Investigation Steps
|
||||
|
||||
- **Review Request Parameters:**
|
||||
- Check the `aws.cloudtrail.flattened.request_parameters` field. The sub-fields may vary depending on the `event.action` (e.g., `routeTableId` for `DeleteRouteTable`, `destinationCidrBlock` for `ReplaceRoute`).
|
||||
- Validate the affected route table, routes, or associations based on the API call:
|
||||
- For `ReplaceRoute`: Look for changes in specific routes using `destinationCidrBlock`.
|
||||
- For `ReplaceRouteTableAssociation`: Review the new association details (e.g., subnet ID).
|
||||
- For `DeleteRouteTable`: Confirm the `routeTableId` of the deleted table.
|
||||
- For `DisassociateRouteTable`: Verify the disassociated resources.
|
||||
|
||||
- **Review User Context**:
|
||||
- **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role initiating the action. Investigate whether this user is authorized to perform these operations.
|
||||
- **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify if the access key used was expected or potentially compromised.
|
||||
- **Access Patterns**: Validate whether the user or role has a history of performing route table modifications and whether this aligns with their expected responsibilities.
|
||||
|
||||
- **Analyze Request Details**:
|
||||
- **Action Type**: Verify the specific API call in the `event.action` field (e.g., `ReplaceRoute`, `DeleteRouteTable`) to understand the nature of the modification.
|
||||
- **Source IP and Geolocation**: Examine the `source.address` and `source.geo` fields to confirm whether the request originated from a trusted location. Suspicious geolocations or IPs may indicate adversarial activity.
|
||||
- **User Agent**: Review the `user_agent.original` field to determine the tool used for the request (e.g., AWS CLI, Terraform). Unusual or custom user agents may indicate malicious intent.
|
||||
|
||||
- **Correlate with Other Activity**:
|
||||
- **Concurrent API Calls**: Look for related API calls (e.g., `CreateRoute`, `AuthorizeSecurityGroupIngress`, or `ModifyInstanceAttribute`) from the same user or IP to detect broader attack patterns.
|
||||
- **IAM Changes**: Investigate whether any IAM policy updates or privilege escalation attempts preceded this activity.
|
||||
- **Unusual Volume of Changes**: Check if the user has performed multiple route table modifications or deletions in a short timeframe.
|
||||
|
||||
- **Validate the Intent**:
|
||||
- **Planned Changes**: Confirm with administrators whether the route table changes were part of a planned update or maintenance activity.
|
||||
- **Permissions and Justification**: Ensure that the user or role has the least privilege necessary for these actions and that there is a valid reason for modifying the route table.
|
||||
|
||||
### False Positive Analysis
|
||||
|
||||
- **Routine Administration**: Route table modifications are often part of routine administrative tasks, such as creating new routes, updating associations, or removing unused resources.
|
||||
- **Automation Tools**: Automated workflows, such as those executed by Terraform or CloudFormation, may trigger these events. Verify whether the `user_agent.original` field or source IP matches known automation tools.
|
||||
- **Maintenance or Scaling**: Confirm whether these actions align with maintenance activities or scaling events (e.g., adding or removing subnets).
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
- **Revoke Unauthorized Permissions**: If unauthorized, remove permissions for `ec2:ReplaceRoute`, `ec2:DeleteRouteTable`, or other related actions from the user or role.
|
||||
- **Restore the Route Table**:
|
||||
- If critical networking was impacted, restore the route table or reapply previous configurations from backups or Terraform state files.
|
||||
- Verify connectivity to affected subnets or instances to ensure no disruptions to services.
|
||||
- **Audit IAM Policies**:
|
||||
- Limit route table modification permissions to specific trusted users, roles, or automation accounts.
|
||||
- Implement conditions in IAM policies, such as source IP restrictions, to reduce the risk of unauthorized access.
|
||||
- **Monitor and Alert**:
|
||||
- Set up additional alerts for unexpected route table modifications or deletions.
|
||||
- Use VPC flow logs and CloudTrail to monitor for related suspicious activity.
|
||||
- **Secure Automation**: Ensure automation tools, such as Terraform or CloudFormation, are configured securely and that their credentials are stored in secure locations like AWS Secrets Manager.
|
||||
"""
|
||||
references = [
|
||||
"https://github.com/easttimor/aws-incident-response#network-routing",
|
||||
"https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: AWS EC2",
|
||||
"Use Case: Network Security Monitoring",
|
||||
"Resources: Investigation Guide",
|
||||
"Tactic: Persistence",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "aws.cloudtrail"
|
||||
and event.provider: "ec2.amazonaws.com"
|
||||
and event.action:(
|
||||
"ReplaceRoute" or
|
||||
"ReplaceRouteTableAssociation" or
|
||||
"DeleteRouteTable" or
|
||||
"DeleteRoute" or
|
||||
"DisassociateRouteTable"
|
||||
)
|
||||
and event.outcome: "success"
|
||||
and not source.address: (
|
||||
"cloudformation.amazonaws.com" or
|
||||
"servicecatalog.amazonaws.com" or
|
||||
"fsx.amazonaws.com"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["aws.cloudtrail.user_identity.arn"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-10d"
|
||||
|
||||
|
||||
@@ -1,100 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2021/06/05"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
description = "Identifies when an AWS Route Table has been modified or deleted."
|
||||
false_positives = [
|
||||
"""
|
||||
Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
|
||||
and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
|
||||
should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
|
||||
automated processes that use Terraform may lead to false positives.
|
||||
""",
|
||||
]
|
||||
from = "now-60m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS Route Table Modified or Deleted"
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating AWS Route Table Modified or Deleted
|
||||
|
||||
AWS Route Tables are crucial for directing network traffic within a VPC. Adversaries may exploit these by altering or deleting routes to disrupt services or reroute traffic for data exfiltration. The detection rule monitors AWS CloudTrail logs for specific actions like route replacement or deletion, signaling potential unauthorized modifications that could indicate malicious activity.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the AWS CloudTrail logs to identify the specific user or role associated with the event.provider:ec2.amazonaws.com actions such as ReplaceRoute, ReplaceRouteTableAssociation, DeleteRouteTable, DeleteRoute, or DisassociateRouteTable.
|
||||
- Check the event.time field in the CloudTrail logs to determine the exact time of the modification or deletion and correlate it with any other suspicious activities or alerts around the same timeframe.
|
||||
- Investigate the source IP address and location from which the changes were made to assess if they align with expected administrative access patterns.
|
||||
- Examine the AWS IAM policies and permissions associated with the user or role to determine if they have legitimate access to modify or delete route tables.
|
||||
- Review recent changes in the AWS environment, such as new deployments or updates, to understand if the route table modifications were part of planned activities.
|
||||
- Contact the user or team responsible for the changes to verify if the actions were authorized and intended as part of routine operations.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Routine infrastructure updates or maintenance activities by authorized personnel can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks.
|
||||
- Automated scripts or tools used for infrastructure management might modify route tables as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user agent strings or IAM roles.
|
||||
- Changes made by cloud service providers during updates or optimizations can also appear as modifications. Monitor communications from AWS for scheduled changes and temporarily adjust detection rules to accommodate these events.
|
||||
- Development and testing environments often undergo frequent changes that are non-threatening. Consider excluding these environments from the rule or applying a different risk threshold to reduce noise.
|
||||
- Multi-account setups where centralized management tools modify route tables across accounts can lead to false positives. Implement account-specific exclusions or adjust the rule to recognize these centralized actions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected VPC to prevent further unauthorized access or data exfiltration. This can be done by temporarily modifying security group rules to restrict inbound and outbound traffic.
|
||||
- Review the AWS CloudTrail logs to identify the source of the unauthorized modifications. Focus on the user identity, IP address, and time of the event to understand the scope and origin of the threat.
|
||||
- Revert any unauthorized changes to the route tables by restoring them to their last known good configuration. This may involve manually recreating deleted routes or associations.
|
||||
- Implement IAM policies to restrict permissions for modifying route tables to only essential personnel. Ensure that the principle of least privilege is enforced.
|
||||
- Enable AWS Config to continuously monitor and record configuration changes to route tables, providing an audit trail for future incidents.
|
||||
- Set up CloudWatch Alarms to alert on any future unauthorized modifications to route tables, ensuring rapid detection and response.
|
||||
- If the incident is confirmed as malicious, escalate to the security operations team for further investigation and potential involvement of AWS support or legal authorities.
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = [
|
||||
"https://github.com/easttimor/aws-incident-response#network-routing",
|
||||
"https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: AWS Route53",
|
||||
"Use Case: Network Security Monitoring",
|
||||
"Tactic: Persistence",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
|
||||
DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
+29
-12
@@ -2,13 +2,18 @@
|
||||
creation_date = "2020/07/06"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of
|
||||
a misconfigured role in order to gain the privileges of that role.
|
||||
Identifies AWS CloudTrail events where an IAM role's trust policy has been updated. The trust policy is a JSON document
|
||||
that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the
|
||||
privileges of the role. This is a [New
|
||||
Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it
|
||||
will only trigger once for each unique value of the `aws.cloudtrail.user_identity.arn` and
|
||||
`aws.cloudtrail.flattened.request_parameters.roleName` fields that has not been seen making this API request within the
|
||||
last 14 days.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
@@ -17,9 +22,8 @@ false_positives = [
|
||||
be exempted from the rule.
|
||||
""",
|
||||
]
|
||||
from = "now-60m"
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS IAM Assume Role Policy Update"
|
||||
@@ -33,6 +37,10 @@ The role trust policy is a JSON document in which you define the principals you
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Review the `aws.cloudtrail.user_identity.arn` field to determine the user identity that performed the action.
|
||||
- Review the `aws.cloudtrail.flattened.request_parameters.roleName` field to confirm the role that was updated.
|
||||
- Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy.
|
||||
- If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user account during the past 48 hours.
|
||||
- Contact the account and resource owners and confirm whether they are aware of this activity.
|
||||
@@ -61,10 +69,7 @@ The role trust policy is a JSON document in which you define the principals you
|
||||
- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
"""
|
||||
references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]
|
||||
risk_score = 21
|
||||
rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
|
||||
@@ -73,16 +78,20 @@ tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: AWS STS",
|
||||
"Data Source: AWS IAM",
|
||||
"Use Case: Identity and Access Audit",
|
||||
"Resources: Investigation Guide",
|
||||
"Tactic: Privilege Escalation",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success
|
||||
event.dataset: "aws.cloudtrail"
|
||||
and event.provider: "iam.amazonaws.com"
|
||||
and event.action: "UpdateAssumeRolePolicy"
|
||||
and event.outcome: "success"
|
||||
and not source.address: "cloudformation.amazonaws.com"
|
||||
'''
|
||||
|
||||
|
||||
@@ -99,3 +108,11 @@ id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.roleName"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/05/17"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/10"
|
||||
updated_date = "2025/01/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
@@ -96,11 +96,18 @@ event.dataset: "aws.cloudtrail"
|
||||
and event.action: "AssumeRole"
|
||||
and event.outcome: "success"
|
||||
and aws.cloudtrail.user_identity.type: "AWSService"
|
||||
and not aws.cloudtrail.user_identity.invoked_by: (
|
||||
"config.amazonaws.com" or
|
||||
"securityhub.amazonaws.com" or
|
||||
"sso.amazonaws.com"
|
||||
)
|
||||
and aws.cloudtrail.user_identity.invoked_by: (
|
||||
"ec2.amazonaws.com" or
|
||||
"lambda.amazonaws.com" or
|
||||
"rds.amazonaws.com" or
|
||||
"ssm.amazonaws.com" or
|
||||
"ecs-tasks.amazonaws.com" or
|
||||
"ecs.amazonaws.com" or
|
||||
"eks.amazonaws.com" or
|
||||
"eks-fargate.amazonaws.com" or
|
||||
"codepipeline.amazonaws.com" or
|
||||
"codebuild.amazonaws.com" or
|
||||
"autoscaling.amazonaws.com")
|
||||
'''
|
||||
|
||||
[rule.investigation_fields]
|
||||
|
||||
@@ -1,60 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2024/04/14"
|
||||
integration = ["aws"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
building_block_type = "default"
|
||||
description = """
|
||||
Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
|
||||
logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
|
||||
gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that
|
||||
does not generate an alert on its own, but serves as a signal for anomalous activity.
|
||||
"""
|
||||
from = "now-119m"
|
||||
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
||||
interval = "60m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Retrieve User Data from AWS EC2 Instance"
|
||||
references = [
|
||||
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
|
||||
"https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Data Source: AWS",
|
||||
"Data Source: Amazon Web Services",
|
||||
"Data Source: Amazon EC2",
|
||||
"Use Case: Log Auditing",
|
||||
"Tactic: Discovery",
|
||||
"Rule Type: BBR",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail
|
||||
and event.action:DescribeInstanceAttribute
|
||||
and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1580"
|
||||
name = "Cloud Infrastructure Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1580/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
Reference in New Issue
Block a user