Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] AWS STS GetSessionToken Abuse #1213

Merged
merged 34 commits into from Sep 22, 2021
Merged

[New Rule] AWS STS GetSessionToken Abuse #1213

merged 34 commits into from Sep 22, 2021

Conversation

austinsonger
Copy link
Contributor

@austinsonger austinsonger commented May 17, 2021
edited

Issues

Resolves #1152
Relates #955

Summary

Contributor checklist

austinsonger and others added 24 commits April 20, 2021 12:47
@austinsonger
Update impact_iam_deactivate_mfa_device.toml
13b7a2c 
elastic#1111
@austinsonger
Update impact_iam_deactivate_mfa_device.toml
da7d230
@austinsonger
Update discovery_post_exploitation_external_ip_lookup.toml
b57fd60 
        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"
@austinsonger
Merge branch 'main' into main
b0bddce
@austinsonger
Merge branch 'main' into main
178baaf
@austinsonger @bm11100
Update rules/aws/impact_iam_deactivate_mfa_device.toml
475a132 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
@austinsonger
Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
ef40cc2 
This reverts commit b57fd60.
@austinsonger
Merge pull request #1 from elastic/main
3c9fed2 
[Rule Tuning] AWS IAM Deactivation of MFA Device (elastic#1132)
@austinsonger
Merge pull request #2 from elastic/main
76344b7 
[New Rule] Threat intel indicator match rule (elastic#1133)
@austinsonger
Merge pull request #3 from elastic/main
1f4723e 
Catching Up
@austinsonger
Merge pull request #4 from elastic/main
e60c7fe 
Update
@austinsonger
Merge branch 'elastic:main' into main
71b7597
@austinsonger
Merge branch 'elastic:main' into main
80d1035
@austinsonger
Merge branch 'elastic:main' into main
bdf860d
@austinsonger
Merge branch 'elastic:main' into main
d5dda87
@austinsonger
Update
6833d0b
@austinsonger
New Rule: Okta User Attempted Unauthorized Access
006e02e
@austinsonger
Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
1297aac
@austinsonger
Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
7d6357a
@austinsonger
Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
72ffc88
@austinsonger
Create persistence_new-or-modified-federation-domain.toml
037d240
@austinsonger
Delete persistence_new-or-modified-federation-domain.toml
5bb487b
@austinsonger
Merge branch 'elastic:main' into main
0be9c10
@austinsonger
Create lateral_movement_sts_getsessiontoken_abuse.toml
26cd47d
@brokensound77 brokensound77 added the Rule: New Proposal for new rule label Jun 15, 2021
brokensound77
brokensound77 reviewed Jun 22, 2021
View reviewed changes
.gitignore Outdated Show resolved Hide resolved
rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Outdated Show resolved Hide resolved
rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Outdated Show resolved Hide resolved
w0rk3r
w0rk3r requested changes Sep 22, 2021
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

License needs to be added, other than that, LGTM

rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Outdated Show resolved Hide resolved
@w0rk3r w0rk3r self-assigned this Sep 22, 2021
@brokensound77 brokensound77 removed the request for review from bm11100 September 22, 2021 19:25
brokensound77
brokensound77 approved these changes Sep 22, 2021
View reviewed changes
Copy link
Collaborator

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@w0rk3r w0rk3r merged commit 93b8038 into elastic:main Sep 22, 2021
protectionsmachine pushed a commit that referenced this pull request Sep 22, 2021
@austinsonger @github-actions
[New Rule] AWS STS GetSessionToken Abuse (#1213)
03ac44e 
* Update impact_iam_deactivate_mfa_device.toml

#1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038)
protectionsmachine pushed a commit that referenced this pull request Sep 22, 2021
@austinsonger @github-actions
[New Rule] AWS STS GetSessionToken Abuse (#1213)
216d06e 
* Update impact_iam_deactivate_mfa_device.toml

#1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038)
protectionsmachine pushed a commit that referenced this pull request Sep 22, 2021
@austinsonger @github-actions
[New Rule] AWS STS GetSessionToken Abuse (#1213)
914db6a 
* Update impact_iam_deactivate_mfa_device.toml

#1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038)
@austinsonger austinsonger deleted the lateral_movement_sts_getsessiontoken_abuse.toml branch September 23, 2021 00:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

Assignees

@w0rk3r w0rk3r

Labels
backport: auto community Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Rule] AWS STS GetSessionToken Abuse
4 participants
@austinsonger @brokensound77 @w0rk3r @rw-access