# Hypothesis



# Baseline 

Download from summitroute.com the Public Dataset of CloudTrail Logs [here](https://summitroute.com/blog/2020/10/09/public_dataset_of_cloudtrail_logs_from_flaws_cloud/) and extract it into a folder. 

```bash
$ wget https://summitroute.com/downloads/flaws_cloudtrail_logs.tar 
```

Next we'll require a coulple of imports

In [3]:
from datetime import datetime
import gzip
import json
import os
import re

import pandas as pd
from tabulate import tabulate

In [4]:
class Parser:
#     ARCHIVE_FILENAME_REGEXP = re.compile(r'^[0-9]{12}_CloudTrail_[a-z]{2}-[a-z]+-[0-9]_[0-9]{8}T[0-9]{4}Z_[a-zA-Z0-9]{16}\.json\.gz$')
    CLOUDTRAIL_EVENT_DATETIME_FORMAT = '%d-%m-%Y-T%H:%M:%SZ'


    def __init__(self,archive_base_dir):
        self.archive_base_dir = archive_base_dir.rstrip('/')

    def events(self):
        for archive_file_item in self.archive_file_list():
            with gzip.open(archive_file_item,'rb') as fp:
                cloudtrail_data = json.loads(fp.read())

            if ('Records' in cloudtrail_data):
                for trail_item in cloudtrail_data['Records']:
                    yield self.build_trail_data(trail_item)

    def archive_file_list(self):
        for (base_path,dir_list,file_list) in os.walk(self.archive_base_dir):
            for file_item in file_list:
#                 if (not Parser.ARCHIVE_FILENAME_REGEXP.search(file_item)):
                if not file_item.endswith("json.gz"):
                    continue

                yield '{0}/{1}'.format(base_path,file_item)

    def build_trail_data(self,source):
        return {
            'accountId': source['recipientAccountId'],
            'region': source['awsRegion'],
            'eventName': source['eventName'],
            'eventTime': source['eventTime'],
            'eventType': source['eventType'],
            'eventSource': source['eventSource'],
            'sourceIPAddress': source['sourceIPAddress'] if 'sourceIPAddress' in source else 'NONE',
            'errorMessage': source['errorMessage'] if 'errorMessage' in source else 'NONE',
            'identity': {
                'userAgent': source['userAgent'] if 'userAgent' in source else 'NONE',
                'user': self.strip_data_unicode(source['userIdentity'])
            },
            'request': self.strip_data_unicode(source['requestParameters']),
            'response': self.strip_data_unicode(source['responseElements'])
        }

    def strip_data_unicode(self,data):
        data_type = type(data)

        if (data_type is list):
            return [self.strip_data_unicode(list_item) for list_item in data]

        if (data_type is dict):
            return {
                self.strip_data_unicode(dict_key): self.strip_data_unicode(dict_value)
                for (dict_key,dict_value) in data.items()
            }

        # simple value
        if (data_type is bytes):
            # if unicode cast to string
            data = str(data)

        return data

In [5]:
parser = Parser('./flaws_cloudtrail_logs')
debug = False
cleaned_events = []

for event in parser.events():
    cleaned_events.append(event)
    if debug:
        print('Event name: {0}'.format(event['eventName']))
        print('Event time: {0}\n'.format(event['eventTime']))

In [6]:
print(len(cleaned_events))

1939207


In [7]:
pentester = []
for event in cleaned_events:
    if 'kali' in event['identity']['userAgent'].lower() or 'parrot' in event['identity']['userAgent'].lower():
        pentester.append(event)
        
print(len(pentester))

149828


In [8]:
from pprint import pprint

for event in  cleaned_events[:10]:
    pprint(event)

{'accountId': '811596193553',
 'errorMessage': 'You are not authorized to perform this operation. Encoded '
                 'authorization failure message: '
                 'oT5GYV6-Vp0GJOsgCAKsuMkSg9toc9JALcTkGG7hEgbt4QOdgbY3dkZALJmBXqqWPzJ1fWUz0JiKulu863VY7A4MUwHIsm7ylnr_rnrGjqRh63i77R_Z4fTDNwdIfVaRaroUko3voyNqPPNPoUTphltX_9ZvG_pOMblp4M7QmTO6iqDfiLXwgdi1zhwsI84RfhYGnUELCQM5vTfn8zDoMH8wZdhlzarIjIHMzWv5t9re14vtPNWVqC1eOsR5JVcM-7i-Us4ELJji09ZNKQVd4QDR5OoE7U52QBq4GbfIm8D6brd3LLsdJapqpYOoJTwcANtB8fYaDCH06Q_NZCBAA1ZbLh7XSZyyanuDgeiPBjgy0S96MkwsvWqqTG-IoMpzsxes_GKi4tVffoTkUyD2gmwwgsPnT4A0T6d5DVDSEiKjnNo5FhL1dZ3TybRnBMUagY1Zlqb3xYcP7vfHUr8mDavWXDMowBk1iMH29Ido0mmH5EMeNY5TwYpRX4SHez4GpQ-T7JBn7zpfp434zzxOqHVeoPb9azEeQNykyewd4AE37iA8vMr3kO75EDC6nvY2ebg_TgbIZz7R5rhW3S3bfhd_nhRMx1sR6tcosW5kOoxxrg3H7kRY0oBKT5wcW5yCca6jpQ-zURop8RW1niNWMX3iSctpzdo',
 'eventName': 'RunInstances',
 'eventSource': 'ec2.amazonaws.com',
 'eventTime': '2019-08-23T06:00:05Z',
 'eventType': 'AwsApiCall',
 'identity': {'u

In [9]:
df = pd.read_json(json.dumps(pentester))

# Hunting for sign-in failures (AWS Console)

We try to identify brute force attacks or bot generic attacks. Those attacks are very common and mostly detected by GuardDuaty. Nevertheless time to hunt. 

**One remark**: Since AWS is following security best practices, the AWS IAM user name for sign-in failures is disguesed - therefore the found logs shows probably a GuarDuty finding or a CloudTrail log entry with the name `HIDDEN_DUE_TO_SECURITY_REASONS`

__Mapping with the Mitre Att&ck Framework__

* Tactic: Credential Access (TA0006)
* Name: Brute Force
* ID: T1110
* Sub-techniques: [T1110.001](https://attack.mitre.org/techniques/T1110/001), [T1110.002](https://attack.mitre.org/techniques/T1110/002), [T1110.003](https://attack.mitre.org/techniques/T1110/003), and [T1110.004](https://attack.mitre.org/techniques/T1110/004)


In [23]:
query_failed_logins = lambda event: event["eventSource"] == "signin.amazonaws.com" \
                                and event["eventName"] == "ConsoleLogin" \
                                and event["response"]['ConsoleLogin'] == "Failure"

failed_logins = list(filter(query_failed_logins, cleaned_events))

In [24]:
failed_logins_df = pd.read_json(json.dumps(failed_logins))

In [25]:
failed_logins_df.style

Unnamed: 0,accountId,region,eventName,eventTime,eventType,eventSource,sourceIPAddress,errorMessage,identity,request,response
0,811596193553,us-east-1,ConsoleLogin,2020-01-15T10:08:24Z,AwsConsoleSignIn,signin.amazonaws.com,222.230.154.255,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/967662 Firefox/68.0', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
1,811596193553,us-east-1,ConsoleLogin,2020-01-18T07:31:34Z,AwsConsoleSignIn,signin.amazonaws.com,8.101.151.38,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
2,811596193553,us-east-1,ConsoleLogin,2020-01-18T07:32:07Z,AwsConsoleSignIn,signin.amazonaws.com,8.101.151.38,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
3,811596193553,us-east-1,ConsoleLogin,2017-05-17T23:23:34Z,AwsConsoleSignIn,signin.amazonaws.com,8.120.255.102,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
4,811596193553,us-east-1,ConsoleLogin,2017-05-17T23:23:41Z,AwsConsoleSignIn,signin.amazonaws.com,8.120.255.102,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
5,811596193553,us-east-1,ConsoleLogin,2018-02-26T01:12:46Z,AwsConsoleSignIn,signin.amazonaws.com,231.17.3.165,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
6,811596193553,us-east-1,ConsoleLogin,2018-02-26T18:45:36Z,AwsConsoleSignIn,signin.amazonaws.com,12.80.110.252,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
7,811596193553,us-east-1,ConsoleLogin,2018-02-26T18:45:51Z,AwsConsoleSignIn,signin.amazonaws.com,12.80.110.252,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
8,811596193553,us-east-1,ConsoleLogin,2018-02-26T18:46:19Z,AwsConsoleSignIn,signin.amazonaws.com,12.80.110.252,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}
9,811596193553,us-east-1,ConsoleLogin,2018-02-26T18:47:44Z,AwsConsoleSignIn,signin.amazonaws.com,12.80.110.252,No username found in supplied account,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6', 'user': {'type': 'IAMUser', 'accountId': '811596193553', 'accessKeyId': '', 'userName': 'HIDDEN_DUE_TO_SECURITY_REASONS'}}",,{'ConsoleLogin': 'Failure'}


# Hunting for root access attempts to an AWS Account

This is more a bad practice then a casual security issue. The risk here is introduced by accessing your or other account(s) with the root user. More details can be found in the ...

_Mitre Att&ck Framework:_

* Tactic: Privilege Escalation (TA0004)
* Name: Valid Accounts
* ID: [T1078](https://attack.mitre.org/techniques/T1078/)

In [42]:
query_root_access = lambda event: event["eventName"] == "ConsoleLogin" \
                                and (event["identity"]\
                                     .get('user', {})\
                                     .get('type', 'type missing') == "Root")

root_access = list(filter(query_root_access, cleaned_events))

In [43]:
print(len(root_access))

62


In [44]:
pd.read_json(json.dumps(root_access)).style

Unnamed: 0,accountId,region,eventName,eventTime,eventType,eventSource,sourceIPAddress,errorMessage,identity,request,response
0,811596193553,us-east-1,ConsoleLogin,2019-08-23T15:47:30Z,AwsConsoleSignIn,signin.amazonaws.com,228.139.46.252,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
1,811596193553,us-east-1,ConsoleLogin,2018-06-03T13:46:21Z,AwsConsoleSignIn,signin.amazonaws.com,143.110.253.220,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
2,811596193553,us-east-1,ConsoleLogin,2018-06-16T14:32:40Z,AwsConsoleSignIn,signin.amazonaws.com,143.110.253.220,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
3,811596193553,us-east-1,ConsoleLogin,2018-07-05T18:49:34Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
4,811596193553,us-east-1,ConsoleLogin,2018-07-06T04:14:52Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
5,811596193553,us-east-1,ConsoleLogin,2018-07-06T22:30:23Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
6,811596193553,us-east-1,ConsoleLogin,2018-07-07T15:29:55Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
7,811596193553,us-east-1,ConsoleLogin,2018-07-10T16:45:55Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
8,811596193553,us-east-1,ConsoleLogin,2018-08-05T16:50:57Z,AwsConsoleSignIn,signin.amazonaws.com,250.251.253.3,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}
9,811596193553,us-east-1,ConsoleLogin,2018-08-18T03:19:14Z,AwsConsoleSignIn,signin.amazonaws.com,84.251.178.39,NONE,"{'userAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553'}}",,{'ConsoleLogin': 'Success'}


# Hunting for CloudTrail tampering

If an attacker maanges it to bypass your defensive perimeters a good option to evade defenses is to disrupt CloudTrails that were related with attacks or stop logging to CloudTrail before the main attack starts

_Mitre Att&ck Framework:_

* Tactic: Defense Evasion (TA0005)
* Name: Impair Defenses: Disable or Modify Tools
* ID: [T1562.001](https://attack.mitre.org/techniques/T1562/001/)

In [47]:
query_ctrail_tampering = lambda event: event["eventName"] == "DeleteTrail" \
                                    or event["eventName"] == "StopLogging" \
                                    or event["eventName"] == "UpdatTraile"

ctrail_tampering = list(filter(query_ctrail_tampering, cleaned_events))

In [48]:
print(len(ctrail_tampering))

3


In [49]:
pd.read_json(json.dumps(ctrail_tampering)).style

Unnamed: 0,accountId,region,eventName,eventTime,eventType,eventSource,sourceIPAddress,errorMessage,identity,request,response
0,811596193553,us-west-2,DeleteTrail,2019-08-23T15:48:50Z,AwsApiCall,cloudtrail.amazonaws.com,228.139.46.252,NONE,"{'userAgent': 'console.amazonaws.com', 'user': {'type': 'Root', 'principalId': '811596193553', 'arn': 'arn:aws:iam::811596193553:root', 'accountId': '811596193553', 'accessKeyId': 'ASIAKQIVAZYDNA7IFS2O', 'userName': 'flaws', 'sessionContext': {'sessionIssuer': {}, 'webIdFederationData': {}, 'attributes': {'mfaAuthenticated': 'true', 'creationDate': '2019-08-23T15:47:30Z'}}}}",{'name': 'arn:aws:cloudtrail:us-west-2:811596193553:trail/cloudtrail'},
1,811596193553,us-east-1,StopLogging,2019-06-07T11:04:25Z,AwsApiCall,cloudtrail.amazonaws.com,2.251.2.5,User: arn:aws:iam::811596193553:user/Level6 is not authorized to perform: cloudtrail:StopLogging on resource: arn:aws:cloudtrail:us-east-1:745598359964:trail/summitroute-logs,"{'userAgent': 'aws-cli/1.16.168 Python/3.7.3rc1 Linux/4.19.0-kali3-amd64 botocore/1.12.158', 'user': {'type': 'IAMUser', 'principalId': 'AIDADO2GQD0K8TEF7KW1V', 'arn': 'arn:aws:iam::811596193553:user/Level6', 'accountId': '811596193553', 'accessKeyId': 'AKIA3Z2XBVUDFQ9TU4MD', 'userName': 'Level6'}}",,
2,811596193553,us-east-1,StopLogging,2019-06-07T11:04:25Z,AwsApiCall,cloudtrail.amazonaws.com,2.251.2.5,User: arn:aws:iam::811596193553:user/Level6 is not authorized to perform: cloudtrail:StopLogging on resource: arn:aws:cloudtrail:us-east-1:745598359964:trail/summitroute-logs,"{'userAgent': 'aws-cli/1.16.168 Python/3.7.3rc1 Linux/4.19.0-kali3-amd64 botocore/1.12.158', 'user': {'type': 'IAMUser', 'principalId': 'AIDADO2GQD0K8TEF7KW1V', 'arn': 'arn:aws:iam::811596193553:user/Level6', 'accountId': '811596193553', 'accessKeyId': 'AKIA3Z2XBVUDFQ9TU4MD', 'userName': 'Level6'}}",,


# Hunting for GuardDuty tampering

Applies the same conditions like above for the GuardDuty service. Below is the long version if you skipped the query above:

If an attacker maanges it to bypass your defensive perimeters a good option to evade defenses is to disrupt CloudTrails that were related with attacks or stop logging to CloudTrail before the main attack starts

_Mitre Att&ck Framework:_

* Tactic: Defense Evasion (TA0005)
* Name: Impair Defenses: Disable or Modify Tools
* ID: [T1562.001](https://attack.mitre.org/techniques/T1562/001/)



In [50]:
query_guardduty_tampering = lambda event: event["eventName"] == "DeleteDetector" \
                                       or event["eventName"] == "DeleteMembers" \
                                       or event["eventName"] == "StopMonitoringMembers" \
                                       or event["eventName"] == "DisassociateMembers" \
                                       or event["eventName"] == "DisassociateFromMasterAccount"

guardduty_tampering = list(filter(query_guardduty_tampering, cleaned_events))

In [51]:
print(len(guardduty_tampering))

0
