From 2406b99f81acc952ba125d9900657912805e9d69 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 22 Jun 2023 14:43:22 -0700 Subject: [PATCH] Revert "Improve description AWS CreateAccessKey" --- detections/cloud/asl_aws_createaccesskey.yml | 14 ++++---------- detections/cloud/aws_createaccesskey.yml | 14 ++++---------- 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/detections/cloud/asl_aws_createaccesskey.yml b/detections/cloud/asl_aws_createaccesskey.yml index acdb12b90f..b735fa3f8b 100644 --- a/detections/cloud/asl_aws_createaccesskey.yml +++ b/detections/cloud/asl_aws_createaccesskey.yml @@ -5,16 +5,10 @@ date: '2022-05-23' author: Patrick Bareiss, Splunk status: experimental type: Hunting -description: This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. - An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. - While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative - of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to - establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS - services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. - Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with - unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user - creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed - manual during threat hunting. +description: This search looks for AWS CloudTrail events where a user A who has already + permission to create access keys, makes an API call to create access keys for another + user B. Attackers have been know to use this technique for Privilege Escalation + in case new victim(user B) has more permissions than old victim(user B) data_source: [] search: '`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 1181ecea20..3dd9b86c77 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -5,16 +5,10 @@ date: '2022-03-03' author: Bhavin Patel, Splunk status: production type: Hunting -This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. - An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. - While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative - of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to - establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS - services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. - Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with - unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user - creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed - manual during threat hunting. +description: This search looks for AWS CloudTrail events where a user A who has already + permission to create access keys, makes an API call to create access keys for another + user B. Attackers have been know to use this technique for Privilege Escalation + in case new victim(user B) has more permissions than old victim(user B) data_source: [] search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)