-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Patrick Bareiss
committed
Jan 8, 2025
1 parent
197881f
commit dc3fdda
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
67 changes: 67 additions & 0 deletions
67
detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| name: ASL AWS IAM Assume Role Policy Brute Force | ||
| id: 726959fe-316d-445c-a584-fa187d64e295 | ||
| version: 1 | ||
| date: '2025-01-08' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: TTP | ||
| description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. | ||
| data_source: [] | ||
| search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied | ||
| | bucket _time span=1h | ||
| | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time | ||
| | where failures >= 3 | ||
| | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' | ||
| how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. | ||
| known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. | ||
| references: | ||
| - https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ | ||
| - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ | ||
| - https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - AWS IAM Privilege Escalation | ||
| asset_type: AWS Account | ||
| confidence: 70 | ||
| impact: 40 | ||
| message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. | ||
| mitre_attack_id: | ||
| - T1580 | ||
| - T1110 | ||
| observable: | ||
| - name: src_ip | ||
| type: IP Address | ||
| role: | ||
| - Attacker | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - api.operation | ||
| - actor.user.uid | ||
| - src_endpoint.ip | ||
| - cloud.region | ||
| risk_score: 28 | ||
| security_domain: access | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json | ||
| sourcetype: aws:asl | ||
| source: aws_asl |