LoFP / when your development is spreaded in different time zones, applying this rule can be difficult.

Techniques

• T1204
• T1204.003

Sample rules

AWS ECR Container Upload Outside Business Hours

• source: splunk
• technicques:
  • T1204.003
  • T1204

Description

The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify PutImage events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions.

Detection logic

`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday 
| rename requestParameters.* as * 
| rename repositoryName AS repository 
| eval phase="release" 
| eval severity="medium" 
| stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_ecr_container_upload_outside_business_hours_filter`

ASL AWS ECR Container Upload Outside Business Hours

• source: splunk
• technicques:
  • T1204.003
  • T1204

Description

The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for PutImage events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.

Detection logic

`amazon_security_lake` api.operation=PutImage 
| eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") 
| where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent cloud.region 
| rename actor.user.name as user, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_ecr_container_upload_outside_business_hours_filter`