/
asl_aws_new_mfa_method_registered_for_user.yml
69 lines (69 loc) · 3.21 KB
/
asl_aws_new_mfa_method_registered_for_user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: ASL AWS New MFA Method Registered For User
id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
version: 2
date: '2024-02-13'
author: Patrick Bareiss, Splunk
status: experimental
type: TTP
description: The following analytic detects when a new Multi-Factor Authentication (MFA) method is registered for an AWS account, as logged
through Amazon Security Lake (ASL). This behavior is detected by monitoring ASL logs for specific API calls associated with MFA registration.
Identifying this activity is crucial for a Security Operations Center (SOC) because unauthorized registration of a new MFA method can indicate
an adversary's attempt to establish or maintain access to a compromised account. The impact of such an attack is significant as it can enable
persistent access for the attacker, potentially leading to further compromise and exploitation of cloud resources.
data_source: []
search: ' `amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_new_mfa_method_registered_for_user_filter`'
how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides
security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search,
ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or
the Federated Analytics App.
known_false_positives: Newly onboarded users who are registering an MFA method for
the first time will also trigger this detection.
references:
- https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/
- https://attack.mitre.org/techniques/T1556/
- https://attack.mitre.org/techniques/T1556/006/
- https://twitter.com/jhencinski/status/1618660062352007174
tags:
analytic_story:
- AWS Identity and Access Management Account Takeover
asset_type: AWS Account
confidence: 80
impact: 80
message: A new virtual device is added to user $user$
mitre_attack_id:
- T1556
- T1556.006
observable:
- name: src_ip
type: IP Address
role:
- Attacker
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- api.operation
- actor.user.account_uid
- actor.user.name
- actor.user.uid
- http_request.user_agent
- src_endpoint.ip
- cloud.region
risk_score: 64
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json
sourcetype: aws:cloudtrail:lake
source: aws_asl