LoFP / when your development is spreaded in different time zones, applying this rule can be difficult.

Techniques

• T1204.003

Sample rules

AWS ECR Container Upload Outside Business Hours

• source: splunk
• technicques:
  • T1204.003

Description

The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify PutImage events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.

Detection logic

`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday 
| rename requestParameters.* as * 
| rename repositoryName AS repository 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime by signature user user_agent src vendor_account vendor_region vendor_product repository 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_ecr_container_upload_outside_business_hours_filter`

ASL AWS ECR Container Upload Outside Business Hours

• source: splunk
• technicques:
  • T1204.003

Description

The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for PutImage events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.

Detection logic

`amazon_security_lake` api.operation=PutImage 
| eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") 
| where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_ecr_container_upload_outside_business_hours_filter`