security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494)

Browse Source 
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'

* reverting lookback window

* missing word in description
This commit is contained in:
Terrance DeJesus
2024-03-15 19:08:28 -04:00
committed by GitHub
parent d26981f712
commit f6e79944f2
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+11 -9
View File
@@ -4,13 +4,14 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
updated_date = "2024/03/07"
[rule]
author = ["Nick Jones", "Elastic"]
description = """
An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal
certificates, credentials, or other sensitive material.
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action.
This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.
"""
false_positives = [
"""
@@ -19,7 +20,7 @@ false_positives = [
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
index = ["filebeat-*", "logs-aws.cloudtrail*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
@@ -30,7 +31,7 @@ note = """## Triage and analysis
AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.
#### Possible investigation steps
@@ -76,7 +77,8 @@ This rule looks for the retrieval of credentials using `GetSecretValue` action i
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
"http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
"https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/",
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"
]
risk_score = 47
rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
@@ -93,8 +95,8 @@ type = "new_terms"
query = '''
event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
event.action:GetSecretValue and event.outcome:success and
not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "aws-cli")
event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and
not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
'''
@@ -113,7 +115,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"]
value = ["user.id", "aws.cloudtrail.request_parameters"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-15d"