From ffc5ff131dc1258f679095d20d88f1917360a899 Mon Sep 17 00:00:00 2001 From: Arjun Trivedi Date: Fri, 8 Sep 2023 18:41:51 +0530 Subject: [PATCH] Added New Detection for AWS cloud Shell execution Added New Detection for AWS cloud Shell execution --- .../SuspiciousAWSCLICommandExecution.yaml | 57 +++++++++++++++++++ ...ciousAWSEC2ComputeResourceDeployments.yaml | 54 ++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml create mode 100644 Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml diff --git a/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml b/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml new file mode 100644 index 00000000000..c5fd0f51811 --- /dev/null +++ b/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml @@ -0,0 +1,57 @@ +id: 8c2dc344-9352-4ca1-8863-b1b7a5e09e59 +name: Suspicious AWS CLI Command Execution +description: | + 'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.' +severity: Medium +requiredDataConnectors: + - connectorId: AWS + dataTypes: + - AWSCloudTrail +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Reconnaissance +relevantTechniques: + - T1595 + - T1592.004 + - T1589.002 + - T1589.003 + - T1590 + - T1591 + - T1596 +query: | + let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc'); + // Retrieve AWS CloudTrail events + AWSCloudTrail + // Filter events with UserAgent starting with "aws-cli" + | where UserAgent startswith "aws-cli" + // Extract the command from the UserAgent using string splitting + | extend command = tostring(split(UserAgent, "off command/", 1)[0]) + // Filter events based on predefined suspicious command list + | where command has_any (SuspiciousCommands) + // Summarize relevant information for further analysis + | summarize + CommadCount = dcount(command), + EventCount = dcount(EventName), + commands = make_list(command), + Events = make_list(EventName) + by + bin(TimeGenerated, 1min), + UserIdentityUserName, + SourceIpAddress, + SessionMfaAuthenticated + // Filter out results with a sufficient count of unique suspicious commands in 1 min time window + | where CommadCount >= 8 +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIpAddress +customDetails: + SuspiciousCommand: commands + AWSUser: UserIdentityUserName + AWSUserIp: SourceIpAddress +kind: Scheduled +version: 1.0.0 diff --git a/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml b/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml new file mode 100644 index 00000000000..8cb7105891e --- /dev/null +++ b/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml @@ -0,0 +1,54 @@ +id: 9e457dc4-81f0-4d25-bc37-a5fa4a17946a +name: Suspicious AWS EC2 Compute Resource Deployments +description: | + 'This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities. +severity: Medium +requiredDataConnectors: + - connectorId: AWS + dataTypes: + - AWSCloudTrail +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1496 +query: | + // Retrieve AWS CloudTrail events generated within the last day + AWSCloudTrail + // Filter events related to instance creation + | where EventName =~ "RunInstances" + // Exclude events with error messages + | where isempty(ErrorMessage) + // Extract the event source type + | extend EventSourceSplit = split(EventSource, ".") + | extend Type = tostring(EventSourceSplit[0]) + // Extract instance-related details from the event data + | extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform) + // Determine the operating system platform + | extend OSplatform = iff(isempty(platform), tostring("Linux"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId) + // Filter out instances with empty core values + | where isnotempty(core) + // Calculate the total compute based on core and thread counts + | extend totalCorecompute = core * corThread + // Summarize relevant information for analysis + | summarize Start= min(TimeGenerated), + end= max(TimeGenerated), + totalgpu= sum(totalCorecompute) + by SourceIpAddress, UserIdentityArn, UserAgent + // Filter results based on total GPU compute and time duration + | where totalgpu > 800 + | where datetime_diff('hour', end, Start) < 8 +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIpAddress +customDetails: + UserAgent: UserAgent + AWSUser: UserIdentityArn + SourceIpAddress: SourceIpAddress +kind: Scheduled +version: 1.0.0