41 строка
1.7 KiB
YAML
41 строка
1.7 KiB
YAML
id: 32555639-b639-4c2b-afda-c0ae0abefa55
|
|
name: Monitor AWS Credential abuse or hijacking
|
|
description: |
|
|
'Looking for GetCallerIdentity Events where the UserID Type is AssumedRole
|
|
An attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.
|
|
A legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.
|
|
More Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws
|
|
AWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html '
|
|
severity: Low
|
|
requiredDataConnectors:
|
|
- connectorId: AWS
|
|
dataTypes:
|
|
- AWSCloudTrail
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Discovery
|
|
relevantTechniques:
|
|
- T1087
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
AWSCloudTrail
|
|
| where TimeGenerated > ago(timeframe)
|
|
| where EventName =~ "GetCallerIdentity" and UserIdentityType =~ "AssumedRole"
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid,
|
|
UserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress
|
|
| sort by EndTimeUtc desc nulls last
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|