In [1]:
import boto3
from requests.auth import HTTPBasicAuth
import requests
import json
import datetime
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import email
import smtplib

In [2]:
def action_lookup_events(access_key_id, secret_access_key,
                         lookup_attributes,
                         region_name='us-west-2',
                         **kwargs):
        try:
            session = boto3.client('cloudtrail', region_name=region_name,
                                   aws_access_key_id=access_key_id,
                                   aws_secret_access_key=secret_access_key)
            response = session.lookup_events(LookupAttributes=lookup_attributes)
            return {'result': response,
                        'execution_status': 'SUCCESS'}
        except Exception as e:
            return {'result': str(e),
                    'execution_status': 'ERROR'}

In [3]:
# action used for retrieve records
def action_retrieve_records(username, password, table_name, retrieve_no_of_records=1,
                            query_params=None, **kwargs):
    """
    :parameter
        :param table_name: Table Name for which records need to be retrieved
        :param retrieve_no_of_records: Number of Records to retrieve from table as an input.
            Example: to retrieve 10 records: provide 10 as an input.
            Default set as: 1
        :param query_params: Query parameters if necessary to filter the result
    """
    base_url = "https://dev79641.service-now.com/api/now/table/"
    auth_val = HTTPBasicAuth(username, password)
    headers = {"Accept": "application/json",
               "Content-Type": "application/json"}
    if query_params is None:
        query_params = {}

    try:
        result = {}
        params = {"sysparam_limit": retrieve_no_of_records}
        query_params.update(params)
        endpoint = "{0}{1}".format(
            base_url, table_name
        )
        response = requests.get(endpoint, params=query_params,
                                headers=headers, auth=auth_val)
        result["records"] = response.json()
        if response.headers.get("X-Total-Count"):
            result["count"] = response.headers.get("X-Total-Count")
        else:
            result["count"] = "0"
        return {"result": result, "execution_status": "SUCCESS"}
    except Exception as e:
        exception_error = str(e)
        return {"result": exception_error, "execution_status": "ERROR"}

In [4]:
email_smtp = 'smtp.gmail.com'
email_port = 587
email_id = 'hydranoob000@gmail.com'
email_password = 'hqkcvqarjdhmiqsq'

In [5]:
def send_email(sender_email, sender_name, email_subject, email_message,
                        recipient_list, cc_list=None, **kwargs):
    try:
        if cc_list is None:
            cc_list = ''

        cc_list = cc_list.split(',')
        recipient_list = recipient_list.split(',')

        msg = MIMEMultipart('alternative')
        msg['Subject'] = email_subject
        msg['From'] = email.utils.formataddr((sender_name, sender_email))
        msg['To'] = ','.join(recipient_list)

        if cc_list:
            msg['CC'] = ','.join(cc_list)
            recipient_list.extend(cc_list)


        part1 = MIMEText(email_message, 'plain')
        part2 = MIMEText(email_message, 'html')

        msg.attach(part1)
        msg.attach(part2)

        try:
            server = smtplib.SMTP(email_smtp, email_port)
            server.ehlo()
            server.starttls()
            server.ehlo()
            server.login(email_id, email_password)
            server.sendmail(sender_email, recipient_list, msg.as_string())
            return {'result': "OK!, Email has been sent to user successfully", 'execution_status': 'SUCCESS'}
        except Exception as e:
            return {'result': str(e), 'execution_status': 'ERROR'}
    except Exception as f:
        return {'result': str(f), 'execution_status': 'ERROR'}

In [6]:
def default(o):
    if isinstance(o, (datetime.date, datetime.datetime)):
        return o.isoformat()

In [7]:
x = action_lookup_events(
        "AKIAJTN353HSO4DS6HLA","UMNw7cVmop++9AhZP5AZuEuwRwtc7kOmfHR29few",
        [{
            'AttributeKey': 'EventName',
            'AttributeValue': 'CreateUser'
        }], region_name='ap-south-1')

In [8]:
print(json.dumps(x, default=default))

{"result": {"Events": [{"EventId": "63166ada-70ba-411e-a9c6-dd05a741cd44", "EventName": "CreateUser", "ReadOnly": "false", "AccessKeyId": "ASIAR5XG7LKOPQCZXLWY", "EventTime": "2020-03-29T18:06:41+05:30", "EventSource": "iam.amazonaws.com", "Username": "root", "Resources": [{"ResourceType": "AWS::IAM::User", "ResourceName": "arn:aws:iam::132554644124:user/peter_smith"}, {"ResourceType": "AWS::IAM::User", "ResourceName": "AIDAR5XG7LKOJ32ZI4R7M"}, {"ResourceType": "AWS::IAM::User", "ResourceName": "peter_smith"}], "CloudTrailEvent": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"132554644124\",\"arn\":\"arn:aws:iam::132554644124:root\",\"accountId\":\"132554644124\",\"accessKeyId\":\"ASIAR5XG7LKOPQCZXLWY\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-03-29T09:07:26Z\"}}},\"eventTime\":\"2020-03-29T12:36:41Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"

In [9]:
for i in x['result']['Events']:
    cevent = json.loads(i.get('CloudTrailEvent', {}))
    print(cevent['requestParameters']['userName'])
    print(json.dumps(cevent))
# x = action_retrieve_records("admin","Yx64kyFmoHGL","sys_user", query_params={"sysparm_limit": "1", "sysparm_query": "user_name="})
# print(x)
# json.dumps(x, indent=4)

peter_smith
{"eventVersion": "1.05", "userIdentity": {"type": "Root", "principalId": "132554644124", "arn": "arn:aws:iam::132554644124:root", "accountId": "132554644124", "accessKeyId": "ASIAR5XG7LKOPQCZXLWY", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "true", "creationDate": "2020-03-29T09:07:26Z"}}}, "eventTime": "2020-03-29T12:36:41Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "103.48.100.239", "userAgent": "console.amazonaws.com", "requestParameters": {"userName": "peter_smith", "tags": [{"key": "Name", "value": "Peter Smith"}]}, "responseElements": {"user": {"path": "/", "userName": "peter_smith", "userId": "AIDAR5XG7LKOJ32ZI4R7M", "arn": "arn:aws:iam::132554644124:user/peter_smith", "createDate": "Mar 29, 2020 12:36:41 PM", "tags": [{"key": "Name", "value": "Peter Smith"}]}}, "requestID": "82db73fa-eb06-4afe-a72b-ab4fe6f0a341", "eventID": "63166ada-70ba-411

In [10]:
# We could put in time filters here.
# Also, notice how we haven't hardcoded the variable parameters but have parsed and passed it
for i in x['result']['Events']:
    cevent = json.loads(i.get('CloudTrailEvent', {}))
    y = action_retrieve_records("admin","Yx64kyFmoHGL","sys_user",
                                query_params={"sysparm_limit": "1",
                                              "sysparm_query": "user_name="+cevent['requestParameters']['userName']})
    print(json.dumps(y))
# result count is 0 that means it is safe to assume that its a rogue user

{"result": {"records": {"result": []}, "count": "0"}, "execution_status": "SUCCESS"}


In [11]:
for i in x['result']['Events']:
    cevent = json.loads(i.get('CloudTrailEvent', {}))
    y = action_retrieve_records("admin","Yx64kyFmoHGL","sys_user",
                                query_params={"sysparm_limit": "1",
                                              "sysparm_query": "user_name="+cevent['requestParameters']['userName']})
    msg = """
        Hello Admin,<br>
        We have found a rogue user in the AWS account id {0} with the username {1}.<br>
        Possible Compromised Details:<br>
        User: {2}<br>
        Compromised Time: {3}<br>
        Compromised Account ID: {4}<br>
        Compromised Access Key ID: {5}<br>
        Attacker IP Address: {6}<br>
        Please confirm if you have created the user or the user will be automatically deleted in 3 hours.""".format(cevent["userIdentity"]['accountId'],
                                                                                                                    cevent["requestParameters"]["userName"],
                                                                                                                    i.get('Username'),
                                                                                                                    cevent["eventTime"],
                                                                                                                    cevent["userIdentity"]['accountId'],
                                                                                                                    cevent["userIdentity"]['accessKeyId'],
                                                                                                                    cevent["sourceIPAddress"])
    print(msg)
    mail_resp = send_email('hydranoob000@gmail.com', 'Hydra', 'Rogue User Creation Found in AWS', msg, 'hydranoob001@gmail.com')
    print(mail_resp)


        Hello Admin,<br>
        We have found a rogue user in the AWS account id 132554644124 with the username peter_smith.<br>
        Possible Compromised Details:<br>
        User: root<br>
        Compromised Time: 2020-03-29T12:36:41Z<br>
        Compromised Account ID: 132554644124<br>
        Compromised Access Key ID: ASIAR5XG7LKOPQCZXLWY<br>
        Attacker IP Address: 103.48.100.239<br>
        Please confirm if you have created the user or the user will be automatically deleted in 3 hours.
{'result': 'OK!, Email has been sent to user successfully', 'execution_status': 'SUCCESS'}
