[New Rule] AWS STS AssumeRole Usage #1214

austinsonger · 2021-05-17T21:34:10Z

Issues

Resolves #1153
Relates #955

Summary

Contributor checklist

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?

elastic#1111

"*ipapi.co", "*ip-lookup.net", "*ipstack.com"

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

This reverts commit b57fd60.

[Rule Tuning] AWS IAM Deactivation of MFA Device (elastic#1132)

[New Rule] Threat intel indicator match rule (elastic#1133)

Catching Up

Update

…tion_sts_assumerole_abuse.toml

austinsonger · 2021-06-02T16:34:19Z

@bm11100 I was thinking about something you commented on another issue. This one could be noisy because of Terraform as well. So I added a false positive.

…rivilege_escalation_sts_assumerole_usage.toml

w0rk3r

LGTM

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

brokensound77 · 2021-10-15T18:18:59Z

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

+index = ["filebeat-*", "logs-aws*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS AssumeRole Usage"


can we expand STS

Also are there references to add?

@brokensound77 does these changes solve this one?

brokensound77

After the remaining comment is resolved, then this LGTM 👍

* Update impact_iam_deactivate_mfa_device.toml #1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit d7eab5b)

austinsonger and others added 24 commits April 20, 2021 12:47

Update impact_iam_deactivate_mfa_device.toml

13b7a2c

elastic#1111

Update impact_iam_deactivate_mfa_device.toml

da7d230

Update discovery_post_exploitation_external_ip_lookup.toml

b57fd60

"*ipapi.co", "*ip-lookup.net", "*ipstack.com"

Merge branch 'main' into main

b0bddce

Merge branch 'main' into main

178baaf

Update rules/aws/impact_iam_deactivate_mfa_device.toml

475a132

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

ef40cc2

This reverts commit b57fd60.

Merge pull request #1 from elastic/main

3c9fed2

[Rule Tuning] AWS IAM Deactivation of MFA Device (elastic#1132)

Merge pull request #2 from elastic/main

76344b7

[New Rule] Threat intel indicator match rule (elastic#1133)

Merge pull request #3 from elastic/main

1f4723e

Catching Up

Merge pull request #4 from elastic/main

e60c7fe

Update

Merge branch 'elastic:main' into main

71b7597

Merge branch 'elastic:main' into main

80d1035

Merge branch 'elastic:main' into main

bdf860d

Merge branch 'elastic:main' into main

d5dda87

Update

6833d0b

New Rule: Okta User Attempted Unauthorized Access

006e02e

Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

1297aac

Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

7d6357a

Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

72ffc88

Create persistence_new-or-modified-federation-domain.toml

037d240

Delete persistence_new-or-modified-federation-domain.toml

5bb487b

Merge branch 'elastic:main' into main

0be9c10

Create lateral_movement_sts_assumerole_abuse.toml

cb22759

github-actions bot added the backport: auto label May 17, 2021

Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escala…

3d8fdda

…tion_sts_assumerole_abuse.toml

rw-access added the community label May 17, 2021

austinsonger added 2 commits June 2, 2021 16:28

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

1fdfa63

Update privilege_escalation_sts_assumerole_abuse.toml

97ceeca

austinsonger added 3 commits October 5, 2021 17:26

Update privilege_escalation_sts_assumerole_abuse.toml

1c4beb1

Update privilege_escalation_sts_assumerole_abuse.toml

8795e85

Update and rename privilege_escalation_sts_assumerole_abuse.toml to p…

4101281

…rivilege_escalation_sts_assumerole_usage.toml

austinsonger changed the title ~~[New Rule] AWS STS AssumeRole Abuse~~ [New Rule] AWS STS AssumeRole Usage Oct 5, 2021

austinsonger added 2 commits October 5, 2021 17:32

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

60657e4

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

f3dfc91

w0rk3r approved these changes Oct 11, 2021

View reviewed changes

w0rk3r requested a review from brokensound77 October 11, 2021 11:55

w0rk3r requested changes Oct 11, 2021

View reviewed changes

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Show resolved Hide resolved

austinsonger and others added 2 commits October 11, 2021 08:55

Update rules/integrations/aws/privilege_escalation_sts_assumerole_usa…

17ebc52

…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Add note field

746fbf3

w0rk3r approved these changes Oct 11, 2021

View reviewed changes

brokensound77 reviewed Oct 12, 2021

View reviewed changes

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Outdated Show resolved Hide resolved

austinsonger added 2 commits October 12, 2021 14:54

Update privilege_escalation_sts_assumerole_usage.toml

073166c

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

85b020d

w0rk3r reviewed Oct 12, 2021

View reviewed changes

rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Outdated Show resolved Hide resolved

austinsonger and others added 2 commits October 12, 2021 17:31

Update rules/integrations/aws/privilege_escalation_sts_assumerole_usa…

dc79680

…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

d796269

w0rk3r requested a review from brokensound77 October 12, 2021 22:32

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

083387e

brokensound77 reviewed Oct 15, 2021

View reviewed changes

brokensound77 approved these changes Oct 15, 2021

View reviewed changes

w0rk3r added 3 commits October 15, 2021 15:40

Adding Reference

0d10f39

Expand STS

d542b9f

Merge branch 'main' into lateral_movement_sts_assumerole_abuse.toml

5123fa7

w0rk3r merged commit d7eab5b into elastic:main Oct 15, 2021

austinsonger deleted the lateral_movement_sts_assumerole_abuse.toml branch October 18, 2021 21:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] AWS STS AssumeRole Usage #1214

[New Rule] AWS STS AssumeRole Usage #1214

austinsonger commented May 17, 2021 •

edited

Loading

austinsonger commented Jun 2, 2021 •

edited

Loading

w0rk3r left a comment

brokensound77 Oct 15, 2021

w0rk3r Oct 15, 2021

brokensound77 Oct 15, 2021

brokensound77 left a comment

[New Rule] AWS STS AssumeRole Usage #1214

[New Rule] AWS STS AssumeRole Usage #1214

Conversation

austinsonger commented May 17, 2021 • edited Loading

Issues

Summary

Contributor checklist

austinsonger commented Jun 2, 2021 • edited Loading

w0rk3r left a comment

Choose a reason for hiding this comment

brokensound77 Oct 15, 2021

Choose a reason for hiding this comment

w0rk3r Oct 15, 2021

Choose a reason for hiding this comment

brokensound77 Oct 15, 2021

Choose a reason for hiding this comment

brokensound77 left a comment

Choose a reason for hiding this comment

austinsonger commented May 17, 2021 •

edited

Loading

austinsonger commented Jun 2, 2021 •

edited

Loading