Terrance DeJesus
b28338c680
* adjusted Potential Widespread Malware Infection Across Multiple Hosts * adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source * adjusted AWS EC2 Multi-Region DescribeInstances API Calls * adjusted AWS Discovery API Calls via CLI from a Single Resource * adjusted AWS Service Quotas Multi-Region Requests * adjusted AWS EC2 EBS Snapshot Shared or Made Public * adjusted AWS S3 Bucket Enumeration or Brute Force * adjusted AWS EC2 EBS Snapshot Access Removed * adjusted Potential AWS S3 Bucket Ransomware Note Uploaded * adjusted AWS S3 Object Encryption Using External KMS Key * adjusted AWS S3 Static Site JavaScript File Uploaded * adjusted AWS Access Token Used from Multiple Addresses * adjusted AWS Signin Single Factor Console Login with Federated User * adjusted AWS IAM AdministratorAccess Policy Attached to Group * adjusted AWS IAM AdministratorAccess Policy Attached to Role * adjusted AWS IAM AdministratorAccess Policy Attached to User * adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request * adjusted Unusual High Confidence Content Filter Blocks Detected * adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes * AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User * Unusual High Denied Sensitive Information Policy Blocks Detected * adjusted Unusual High Denied Topic Blocks Detected * adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User * adjusted Unusual High Word Policy Blocks Detected * adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties * adjusted Azure Entra MFA TOTP Brute Force Attempts * adjusted Microsoft Entra ID Sign-In Brute Force Activity * adjusted Microsoft Entra ID Exccessive Account Lockouts Detected * adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins * deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source * adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access * adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS * adjusted Potential Denial of Azure OpenAI ML Service * adjusted Azure OpenAI Insecure Output Handling * adjusted Potential Azure OpenAI Model Theft * adjusted M365 OneDrive Excessive File Downloads with OAuth Token * adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window * adjusted Potential Microsoft 365 User Account Brute Force * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted Multiple Device Token Hashes for Single Okta Session * adjusted Multiple Okta User Authentication Events with Client Address * adjusted Multiple Okta User Authentication Events with Same Device Token Hash * adjusted High Number of Okta Device Token Cookies Generated for Authentication * adjusted Okta User Sessions Started from Different Geolocations * adjusted High Number of Egress Network Connections from Unusual Executable * adjusted Unusual Base64 Encoding/Decoding Activity * adjusted Potential Port Scanning Activity from Compromised Host * adjusted Potential Subnet Scanning Activity from Compromised Host * adjusted Unusual File Transfer Utility Launched * adjusted Potential Malware-Driven SSH Brute Force Attempt * adjusted Unusual Process Spawned from Web Server Parent * adjusted Unusual Command Execution from Web Server Parent * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Unusual File Creation by Web Server * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential Malicious PowerShell Based on Alert Correlation * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Potential PowerShell Obfuscation via String Concatenation * adjusted Potential PowerShell Obfuscation via Reverse Keywords * adjusted PowerShell Obfuscation via Negative Index String Reversal * adjusted Dynamic IEX Reconstruction via Method String Access * adjusted Potential Dynamic IEX Reconstruction via Environment Variables * adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion * adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential PowerShell Obfuscation via Special Character Overuse * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted fields that were inconsistent * adjusted additional fields * adjusted esql to Esql * adjusted several rules for common field names * updating rules * updated dates * updated dates * updated ESQL fields * lowercase all functions and logical operators * adjusted dates for unit tests * Update Esql_priv to Esql_temp as these don't hold PII * PowerShell adjustments * Make query comments consistent * update comment * reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed * Update rules/windows/discovery_command_system_account.toml * removed dot notation --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
136 lines
7.4 KiB
TOML
136 lines
7.4 KiB
TOML
[metadata]
|
|
creation_date = "2024/10/23"
|
|
integration = ["aws"]
|
|
maturity = "production"
|
|
updated_date = "2025/07/16"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the
|
|
AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if
|
|
the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as
|
|
each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This rule looks for role
|
|
chaining activity happening within a single account, to eliminate false positives produced by common cross-account
|
|
behavior.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Role chaining can be used as an access control. Ensure that this behavior is not part of a legitimate operation
|
|
before taking action.
|
|
""",
|
|
]
|
|
from = "now-6m"
|
|
language = "esql"
|
|
license = "Elastic License v2"
|
|
name = "AWS STS Role Chaining"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating AWS STS Role Chaining
|
|
|
|
AWS Security Token Service (STS) allows temporary, limited-privilege credentials for AWS resources. Role chaining involves using one temporary role to assume another, potentially escalating privileges. Adversaries exploit this by gaining elevated access or persistence. The detection rule identifies such activity by monitoring specific API calls and access patterns within a single account, flagging potential misuse.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the AWS CloudTrail logs to identify the source of the AssumeRole API call by examining the aws.cloudtrail.user_identity.arn field to determine which user or service initiated the role chaining.
|
|
- Check the cloud.region field to understand the geographical context of the activity and assess if it aligns with expected operational regions for your organization.
|
|
- Investigate the aws.cloudtrail.resources.account_id and aws.cloudtrail.recipient_account_id fields to confirm that the role chaining activity occurred within the same account, as cross-account role chaining is not flagged by this rule.
|
|
- Analyze the aws.cloudtrail.user_identity.access_key_id to verify that the access key used is a temporary token starting with "ASIA", indicating the use of temporary credentials.
|
|
- Assess the permissions associated with the roles involved in the chaining to determine if the subsequent role provides elevated privileges that could be exploited for privilege escalation or persistence.
|
|
- Correlate the timing of the AssumeRole events with other security events or alerts to identify any suspicious patterns or activities that may indicate malicious intent.
|
|
|
|
### False positive analysis
|
|
|
|
- Cross-account role assumptions are common in many AWS environments and can generate false positives. To mitigate this, ensure the rule is configured to only monitor role chaining within a single account, as specified in the rule description.
|
|
- Automated processes or applications that frequently assume roles for legitimate purposes may trigger false positives. Identify these processes and create exceptions for their specific access patterns or user identities.
|
|
- Scheduled tasks or scripts that use temporary credentials for routine operations might be flagged. Review these tasks and whitelist their access key IDs if they consistently follow a predictable and secure pattern.
|
|
- Development and testing environments often involve frequent role assumptions for testing purposes. Exclude these environments from monitoring or adjust the rule to account for their unique access behaviors.
|
|
- Regularly review and update the list of exceptions to ensure that only non-threatening behaviors are excluded, maintaining the effectiveness of the detection rule.
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately revoke the temporary credentials associated with the detected AssumeRole activity to prevent further unauthorized access.
|
|
- Conduct a thorough review of the AWS CloudTrail logs to identify any additional suspicious activities or roles assumed using the compromised credentials.
|
|
- Isolate the affected AWS resources and accounts to prevent lateral movement and further privilege escalation within the environment.
|
|
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
|
|
- Implement stricter IAM policies and role permissions to limit the ability to assume roles unnecessarily, reducing the risk of privilege escalation.
|
|
- Enhance monitoring and alerting for AssumeRole activities, especially those involving temporary credentials, to detect similar threats in the future.
|
|
- Conduct a post-incident review to identify gaps in security controls and update incident response plans to improve future response efforts.
|
|
|
|
## Setup
|
|
|
|
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = [
|
|
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts",
|
|
"https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials",
|
|
"https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1"
|
|
severity = "medium"
|
|
tags = [
|
|
"Domain: Cloud",
|
|
"Data Source: AWS",
|
|
"Data Source: Amazon Web Services",
|
|
"Data Source: AWS STS",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Persistence",
|
|
"Tactic: Privilege Escalation",
|
|
"Tactic: Lateral Movement",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "esql"
|
|
|
|
query = '''
|
|
from logs-aws.cloudtrail-* metadata _id, _version, _index
|
|
|
|
// filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
|
|
| where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"
|
|
|
|
// keep only the relevant fields
|
|
| keep aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1548"
|
|
name = "Abuse Elevation Control Mechanism"
|
|
reference = "https://attack.mitre.org/techniques/T1548/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1550"
|
|
name = "Use Alternate Authentication Material"
|
|
reference = "https://attack.mitre.org/techniques/T1550/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1550.001"
|
|
name = "Application Access Token"
|
|
reference = "https://attack.mitre.org/techniques/T1550/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0008"
|
|
name = "Lateral Movement"
|
|
reference = "https://attack.mitre.org/tactics/TA0008/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|