security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/aws/docs/secretsmanager_high_frequency_get_secret_value.md
T
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00

2.4 KiB
Raw Blame History

Secrets Manager High Frequency of Programmatic GetSecretValue API Calls

Metadata

  • Author: Elastic

  • Description: This hunting query identifies when a high frequency of GetSecretValue API calls are made to the AWS Secrets Manager service programmatically. The GetSecretValue API call retrieves the secret value for a specified secret. High frequency of these calls may indicate an adversary attempting to access sensitive information stored in AWS Secrets Manager via a compromised account or automated tooling.

  • UUID: ef244ca0-5e32-11ef-a8d3-f661ea17fbce

  • Integration: aws.cloudtrail

  • Language: [ES|QL]

  • Source File: Secrets Manager High Frequency of Programmatic GetSecretValue API Calls

Query

from logs-aws.cloudtrail*
| where @timestamp > now() - 7 day
| where
    event.provider == "secretsmanager.amazonaws.com"
    and event.action == "GetSecretValue"
    and user_agent.name not in ("Chrome","Firefox","Safari", "Edge", "Brave", "Opera")
| dissect aws.cloudtrail.request_parameters "%{}secret:%{secret_value}}"
| stats request_counts = count(*) by event.action, aws.cloudtrail.user_identity.arn, source.ip, user_agent.name
| sort request_counts asc

Notes

  • Use the secret_value field to identify the secret value that was accessed by adding it to the stats statement
  • Review the aws.cloudtrail.user_identity* fields to identify the user making the requests and their role permissions
  • user_agent.name field can provide additional context on the tool or application making the API calls. If not aws-sdk or known application, investigate further.
  • Review the source.* fields for the IP address and geographical location of the request and compare with the user's typical behavior
  • The aws.cloudtrail.user_identity.arn field can provide additional context on the user making the request and their role permissions. Recent changes to role permissions or unusual logins may indicate a compromised account
  • user_agent.name field can provide additional context on the tool or application making the API calls. If not aws-sdk or known application, investigate further.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink