From cf036c60c41bc1e326d9253dab6090029a2c3753 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Thu, 31 Aug 2023 18:51:41 +0530 Subject: [PATCH] Update SuspiciousAWSCLICommandExecution.yaml Slight update in Query logic and added some relevantTechniques: --- .../SuspiciousAWSCLICommandExecution.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml b/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml index 62b97553248..9c923f8e4eb 100644 --- a/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml +++ b/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml @@ -14,17 +14,23 @@ triggerThreshold: 0 tactics: - Reconnaissance relevantTechniques: + - T1595 + - T1592.004 + - T1589.002 + - T1589.003 + - T1590 + - T1591 - T1596 query: | + let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc'); // Retrieve AWS CloudTrail events AWSCloudTrail - | where TimeGenerated >= ago(1d) // Filter events with UserAgent starting with "aws-cli" | where UserAgent startswith "aws-cli" // Extract the command from the UserAgent using string splitting | extend command = tostring(split(UserAgent, "off command/", 1)[0]) // Filter events based on predefined suspicious command list - | where command in~ ('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user', 'iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc') + | where command has_any (SuspiciousCommands) // Summarize relevant information for further analysis | summarize CommadCount = dcount(command),