Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Lambda UpdateFunctionCode
- source: splunk
- technicques:
- T1204
Description
The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful UpdateFunctionCode events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.
Detection logic
`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id
|`aws_lambda_updatefunctioncode_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Lambda UpdateFunctionCode
- source: splunk
- technicques:
- T1204
Description
The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful UpdateFunctionCode events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.
Detection logic
`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id
|`aws_lambda_updatefunctioncode_filter`
AWS SetDefaultPolicyVersion
- source: splunk
- technicques:
- T1078.004
- T1078
Description
The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the SetDefaultPolicyVersion event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.
Detection logic
`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_setdefaultpolicyversion_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Lambda UpdateFunctionCode
- source: splunk
- technicques:
- T1204
Description
The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful UpdateFunctionCode events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.
Detection logic
`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id
|`aws_lambda_updatefunctioncode_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
Sample rules
ASL AWS CreateAccessKey
- source: splunk
- technicques:
- T1078
Description
This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.
Detection logic
`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value
| eval keyjoin=mvzip(unmapped_key,unmapped_value)
| mvexpand keyjoin
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$"
| eval {key} = value
| search responseElements.accessKey.userName = *
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0)
| search match=0
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_createaccesskey_filter`
AWS UpdateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`
AWS CreateAccessKey
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Detection logic
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_createaccesskey_filter`
ASL AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.
Detection logic
`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_password_policy_changes_filter`
AWS Password Policy Changes
- source: splunk
- technicques:
- T1201
Description
The following analytic detects successful API calls to view, update, or delete the password policy in an AWS organization. It leverages AWS CloudTrail logs to identify events such as “UpdateAccountPasswordPolicy,” “GetAccountPasswordPolicy,” and “DeleteAccountPasswordPolicy.” This activity is significant because it is uncommon for regular users to perform these actions, and such changes can indicate an adversary attempting to understand or weaken password defenses. If confirmed malicious, this could lead to compromised accounts and increased attack surface, potentially allowing unauthorized access and control over AWS resources.
Detection logic
`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_password_policy_changes_filter`
AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects the deletion of AWS CloudTrail logs by identifying DeleteTrail events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful DeleteTrail actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Detection logic
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Delete Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects AWS DeleteTrail events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`
ASL AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker’s actions.
Detection logic
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Stop Logging Cloudtrail
- source: splunk
- technicques:
- T1562.008
- T1562
Description
The following analytic detects StopLogging events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Detection logic
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`
AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on UpdateTrail events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`
ASL AWS Defense Evasion Update Cloudtrail
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects UpdateTrail events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary’s intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Detection logic
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`
Detect New Open S3 buckets
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies the creation of open/public S3 buckets in AWS. It detects this activity by analyzing AWS CloudTrail events for PutBucketAcl actions where the access control list (ACL) grants permissions to all users or authenticated users. This activity is significant because open S3 buckets can expose sensitive data to unauthorized access, leading to data breaches. If confirmed malicious, an attacker could read, write, or fully control the contents of the bucket, potentially leading to data exfiltration or tampering.
Detection logic
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl
| rex field=_raw "(?<json_field>{.+})"
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
| search grantees=*
| mvexpand grantees
| spath input=grantees output=uri path=Grantee.URI
| spath input=grantees output=permission path=Permission
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers")
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL")
| rename requestParameters.bucketName AS bucketName
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_filter`
Detect New Open S3 Buckets over AWS CLI
- source: splunk
- technicques:
- T1530
Description
The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to “AuthenticatedUsers” or “AllUsers.” This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
Detection logic
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
| rename requestParameters.bucketName AS bucketName
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_open_s3_buckets_over_aws_cli_filter`
AWS CreateLoginProfile
- source: splunk
- technicques:
- T1136.003
- T1136
Description
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the CreateLoginProfile and ConsoleLogin events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Detection logic
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`
ASL AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Detection logic
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Defense Evasion Delete CloudWatch Log Group
- source: splunk
- technicques:
- T1562
- T1562.008
Description
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Detection logic
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`
AWS Lambda UpdateFunctionCode
- source: splunk
- technicques:
- T1204
Description
The following analytic identifies IAM users attempting to update or modify AWS Lambda code via the AWS CLI. It leverages CloudTrail logs to detect successful UpdateFunctionCode events initiated by IAM users. This activity is significant as it may indicate an attempt to gain persistence, further access, or plant backdoors within your AWS environment. If confirmed malicious, an attacker could upload and execute malicious code automatically when the Lambda function is triggered, potentially compromising the integrity and security of your AWS infrastructure.
Detection logic
`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id
|`aws_lambda_updatefunctioncode_filter`
AWS SetDefaultPolicyVersion
- source: splunk
- technicques:
- T1078.004
- T1078
Description
The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the SetDefaultPolicyVersion event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.
Detection logic
`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_setdefaultpolicyversion_filter`
AWS Create Policy Version to allow all resources
- source: splunk
- technicques:
- T1078.004
- T1078
Description
The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
Detection logic
`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{}
| mvexpand key_policy_statements
| spath input=key_policy_statements output=key_policy_action_1 path=Action
| where key_policy_action_1 = "*"
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`