LoFP / verify whether the user identity, user agent, and/or hostname should be using getsecretstring api for the specified secretid. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• T1528

Sample rules

First Time Seen AWS Secret Value Accessed in Secrets Manager

• source: elastic
• technicques:
  • T1528

Description

An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the GetSecretValue action.

This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role’s assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service’s IAM role to access the secrets in Secrets Manager.

Detection logic

event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
    event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and
    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")