Techniques
Sample rules
AWS S3 Object Encryption Using External KMS Key
- source: elastic
- technicques:
- T1486
Description
Identifies CopyObject
events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.
Detection logic
from logs-aws.cloudtrail-*
// any successful copy event
| where event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action == "CopyObject"
and event.outcome == "success"
// abstract key account id, key id, encrypted object bucket name and object name
| dissect aws.cloudtrail.request_parameters "{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}"
// filter for s3 objects whose account id is different from the encryption key's account id
// add exceptions based on key.account.id or keyId for known external accounts or encryption keys
| where cloud.account.id != key.account.id