Jonhnathan
b4c84e8a40
* Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
67 lines
2.2 KiB
TOML
67 lines
2.2 KiB
TOML
[metadata]
|
|
creation_date = "2021/05/17"
|
|
integration = ["aws"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/06/22"
|
|
|
|
[rule]
|
|
author = ["Austin Songer"]
|
|
description = """
|
|
Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
|
|
AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
|
|
"""
|
|
false_positives = ["Automated processes that use Terraform may lead to false positives."]
|
|
index = ["filebeat-*", "logs-aws*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "AWS Security Token Service (STS) AssumeRole Usage"
|
|
note = """## Setup
|
|
|
|
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
|
|
risk_score = 21
|
|
rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
|
|
severity = "low"
|
|
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and
|
|
aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1548"
|
|
name = "Abuse Elevation Control Mechanism"
|
|
reference = "https://attack.mitre.org/techniques/T1548/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1550"
|
|
name = "Use Alternate Authentication Material"
|
|
reference = "https://attack.mitre.org/techniques/T1550/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1550.001"
|
|
name = "Application Access Token"
|
|
reference = "https://attack.mitre.org/techniques/T1550/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0008"
|
|
name = "Lateral Movement"
|
|
reference = "https://attack.mitre.org/tactics/TA0008/"
|
|
|