Techniques
Sample rules
AWS S3 Object Encryption Using External KMS Key
- source: elastic
- technicques:
- T1486
Description
Identifies CopyObject
events within an S3 bucket using an AWS KMS key from an external account for encryption.
Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS
key to deny their victims access to their own data.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
// any successful S3 copy event
| where
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action == "CopyObject"
and event.outcome == "success"
// dissect request parameters to extract KMS key info and target object info
| dissect aws.cloudtrail.request_parameters
"{%{?bucketName}=%{Esql.aws_cloudtrail_request_parameters_target_bucket_name},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{Esql.aws_cloudtrail_request_parameters_kms_key_account_id}:%{?key}/%{Esql.aws_cloudtrail_request_parameters_kms_key_id},%{?Host}=%{?tls.client.server.name},%{?x-amz-server-side-encryption}=%{?server_side_encryption},%{?x-amz-copy-source}=%{?bucket.object.name},%{?key}=%{Esql.aws_cloudtrail_request_parameters_target_object_key}}"
// detect cross-account key usage
| where cloud.account.id != Esql.aws_cloudtrail_request_parameters_kms_key_account_id
// keep ECS and dissected fields
| keep
@timestamp,
aws.cloudtrail.user_identity.arn,
cloud.account.id,
event.action,
Esql.aws_cloudtrail_request_parameters_target_bucket_name,
Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
Esql.aws_cloudtrail_request_parameters_kms_key_id,
Esql.aws_cloudtrail_request_parameters_target_object_key