Rules Contributing to Potentially Malicious AWS Activity Alert

The following rules are used to identify suspicious activity within AWS logs. Any one or more of these will trigger a Potentially Malicious AWS Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SES Identity Has Been Deleted

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

Rule ID

aws_3

Query

{'selection': {'eventSource': 'ses.amazonaws.com', 'eventName': 'DeleteIdentity'}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,20f754db-d025-4a8f-9d74-e0037e999a9a

Author: Janantha Marasinghe

Tactics, Techniques, and Procedures

TA0005, T1070

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/12/13 medium

  • Unknown

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Rule ID

aws_4

Query

{'selection_source': {'eventSource': 'guardduty.amazonaws.com', 'eventName': 'CreateIPSet'}, 'condition': 'selection_source'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,6e61ee20-ce00-4f8d-8aee-bedd8216f7e3

Author: faloker

Tactics, Techniques, and Procedures

TA0005, T1562.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/02/11 high

  • Valid change in the GuardDuty (e.g. to ignore internal scanners)

AWS Glue Development Endpoint Activity

Detects possible suspicious glue development endpoint activity.

Rule ID

aws_5

Query

{'selection': {'eventSource': 'glue.amazonaws.com', 'eventName': ['CreateDevEndpoint', 'DeleteDevEndpoint', 'UpdateDevEndpoint']}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0004, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2021/10/03 low

  • Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

  • If known behavior is causing false positives, it can be exempted from the rule.

AWS ECS Backdoor Task Definition

Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.

Rule ID

aws_7

Query

{'selection': {'eventSource': 'ecs.amazonaws.com', 'eventName': ['DescribeTaskDefinition', 'RegisterTaskDefinition', 'RunTask'], 'requestParameters_containerDefinitions_command|contains|all': ['169.254', '$AWS_CONTAINER_CREDENTIALS']}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,b94bf91e-c2bf-4047-9c43-c6810f43baad

Author: Darin Smith

Tactics, Techniques, and Procedures

TA0003, T1525

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/06/07 medium

  • Task Definition being modified to request credentials from the Task Metadata Service for valid reasons

AWS Attached Malicious Lambda Layer

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Rule ID

aws_9

Query

{'selection': {'eventSource': 'lambda.amazonaws.com', 'eventName|startswith': 'UpdateFunctionConfiguration'}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d

Author: Austin Songer

Tactics, Techniques, and Procedures

TA0004, T1548

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/09/23 medium

  • Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

  • Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS EKS Cluster Created or Deleted

Identifies when an EKS cluster is created or deleted.

Rule ID

aws_10

Query

{'selection': {'eventSource': 'eks.amazonaws.com', 'eventName': ['CreateCluster', 'DeleteCluster']}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,33d50d03-20ec-4b74-a74e-1e65a38af1c0

Author: Austin Songer

Tactics, Techniques, and Procedures

TA0040, T1485

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/16 low

  • EKS Cluster being created or deleted may be performed by a system administrator.

  • Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

  • EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

Rule ID

aws_15

Query

{'selection': {'eventSource': 'securityhub.amazonaws.com', 'eventName': ['BatchUpdateFindings', 'DeleteInsight', 'UpdateFindings', 'UpdateInsight']}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,a607e1fe-74bf-4440-a3ec-b059b9103157

Author: Sittikorn S

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
stable 2021/06/28 high

  • System or Network administrator behaviors

  • DEV, UAT, SAT environment. You should apply this rule with PROD environment only.

AWS GuardDuty Detector Deletion

Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.

Rule ID

aws_16

Query

{'selection1': {'eventSource': 'guardduty.amazonaws.com'}, 'selection2': {'eventName': 'DeleteDetector'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/28 high

  • The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS ElastiCache Security Group Created

Identifies when an ElastiCache security group has been created.

Rule ID

aws_22

Query

{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': 'Create Cache Security Group'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/07/19 low

  • A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS IAM Password Recovery Requested

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

Rule ID

aws_25

Query

{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'PasswordRecoveryRequested'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/07/02 low

  • Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS EventBridge Rule Disabled or Deleted

Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.

Rule ID

aws_27

Query

{'selection1': {'eventSource': 'eventbridge.amazonaws.com'}, 'selection2': {'eventName': ['DeleteRule', 'DisableRule']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1489

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/10/17 low

  • EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS CloudWatch Alarm Deletion

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Rule ID

aws_28

Query

{'selection1': {'eventSource': 'monitoring.amazonaws.com'}, 'selection2': {'eventName': 'DeleteAlarms'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/15 medium

  • Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Configuration Recorder Stopped

Identifies an AWS configuration change to stop recording a designated set of resources.

Rule ID

aws_39

Query

{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': 'StopConfigurationRecorder'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/16 high

  • Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Config Resource Deletion

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

Rule ID

aws_41

Query

{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': ['DeleteConfigRule', 'DeleteOrganizationConfigRule', 'DeleteConfigurationAggregator', 'DeleteConfigurationRecorder', 'DeleteConformancePack', 'DeleteOrganizationConformancePack', 'DeleteDeliveryChannel', 'DeleteRemediationConfiguration', 'DeleteRetentionConfiguration']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/26 low

  • Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service.

AWS STS GetSessionToken Abuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Rule ID

aws_43

Query

{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'GetSessionToken'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, TA0008, T1548, T1550

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/05/17 low

  • GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS WAF Rule or Rule Group Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.

Rule ID

aws_46

Query

{'selection1': {'eventSource': ['waf.amazonaws.com', 'waf-regional.amazonaws.com', 'wafv2.amazonaws.com']}, 'selection2': {'eventName': ['DeleteRule', 'DeleteRuleGroup']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/09 medium

  • WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

Rule ID

aws_47

Query

{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': ['Delete Cache Security Group', 'Authorize Cache Security Group Ingress', 'Revoke Cache Security Group Ingress', 'AuthorizeCacheSecurityGroupEgress', 'RevokeCacheSecurityGroupEgress']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/07/19 low

  • A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS WAF Access Control List Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.

Rule ID

aws_49

Query

{'selection1': {'eventSource': 'waf.amazonaws.com'}, 'selection2': {'eventName': 'DeleteWebACL'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/21 medium

  • Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS CloudWatch Log Stream Deletion

Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.

Rule ID

aws_52

Query

{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogStream'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, TA0040, T1485, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/20 medium

  • A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS SAML Activity

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

Rule ID

aws_53

Query

{'selection1': {'eventSource': ['iam.amazonaws.com', 'sts.amazonaws.com']}, 'selection2': {'eventName': ['Assumerolewithsaml', 'UpdateSAMLProvider']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0001, TA0005, T1078, T1550

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/09/22 low

  • SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS CloudWatch Log Group Deletion

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Rule ID

aws_55

Query

{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogGroup'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, TA0040, T1485, T1562

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/18 medium

  • Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.

Rule ID

aws_56

Query

{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': ['DisableKey', 'ScheduleKeyDeletion']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1485

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/09/21 medium

  • A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Redshift Cluster Creation

Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.

Rule ID

aws_61

Query

{'selection1': {'eventSource': 'redshift.amazonaws.com'}, 'selection2': {'eventName': 'CreateCluster'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/04/12 low

  • Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS EFS File System or Mount Deleted

Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.

Rule ID

aws_67

Query

{'selection1': {'eventSource': 'elasticfilesystem.amazonaws.com'}, 'selection2': {'eventName': ['DeleteMountTarget', 'DeleteFileSystem']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1485

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/08/27 medium

  • File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS Security Token Service (STS) AssumeRole Usage

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

Rule ID

aws_70

Query

{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumedRole'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, TA0008, T1548, T1550

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/05/17 low

  • Automated processes that use Terraform may lead to false positives.

AWS Lambda UpdateFunctionCode

This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, further access into AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the function is triggered.

Rule ID

aws_89

Query

{'selection2': {'eventSource': 'lambda.amazonaws.com'}, 'selection3': {'eventName': 'UpdateFunctionCode*'}, 'selection4': {'errorCode': 'success'}, 'selection5': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection2 and selection3 and selection4 and selection5'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1204

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022-02-24 medium

  • While this search has no known false positives, it is possible that an AWS admin or an authorized IAM user has updated the lambda function code legitimately.

AWS ECR Container Scanning Findings

This search looks for AWS CloudTrail events from AWS Elastic Container Registry (ECR) Service.

Rule ID

aws_90

Query

{'selection2': {'eventSource': 'ecr.amazonaws.com'}, 'selection3': {'eventName': 'DescribeImageScanFindings'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1204

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022-08-25 medium

  • unknown

AWS SAML Access by Provider User and Principal

This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. It also provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

Rule ID

aws_111

Query

{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumeRoleWithSAML'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-01-26 medium

  • Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.

KMS Keys Creation

This search provides detection of KMS Keys Creation

Rule ID

aws_118

Query

{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': 'CreateKey'}, 'selection3': {'eventName': 'PutKeyPolicy'}, 'condition': 'selection1 and (selection2 or selection3)'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1486

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-01-11 medium

  • unknown