/
aws_createloginprofile.yml
68 lines (68 loc) · 2.53 KB
/
aws_createloginprofile.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: AWS CreateLoginProfile
id: 2a9b80d3-6340-4345-11ad-212bf444d111
version: 2
date: '2021-07-19'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: This search looks for AWS CloudTrail events where a user A(victim A)
creates a login profile for user B, followed by a AWS Console login event from user
B from the same src_ip as user B. This correlated event can be indicative of privilege
escalation since both events happened from the same src_ip
data_source:
- AWS CloudTrail CreateLoginProfile
- AWS CloudTrail ConsoleLogin
search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName
as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName |
join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin |
rename userIdentity.userName as new_login_profile | stats count values(eventName)
min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode
userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile
src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`]
| `aws_createloginprofile_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: While this search has no known false positives, it is possible
that an AWS admin has legitimately created a login profile for another user.
references:
- https://bishopfox.com/blog/privilege-escalation-in-aws
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
confidence: 80
impact: 90
message: User $user_arn$ is attempting to create a login profile for $new_login_profile$
and did a console login from this IP $src_ip$
mitre_attack_id:
- T1136.003
- T1136
observable:
- name: src_ip
type: IP Address
role:
- Attacker
- name: user_arn
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userAgent
- errorCode
- requestParameters.userName
risk_score: 72
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true