|
| 1 | +name: ASL AWS IAM Assume Role Policy Brute Force |
| 2 | +id: 726959fe-316d-445c-a584-fa187d64e295 |
| 3 | +version: 1 |
| 4 | +date: '2025-01-08' |
| 5 | +author: Patrick Bareiss, Splunk |
| 6 | +status: production |
| 7 | +type: TTP |
| 8 | +description: The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services. |
| 9 | +data_source: [] |
| 10 | +search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied |
| 11 | + | bucket _time span=1h |
| 12 | + | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time |
| 13 | + | where failures >= 3 |
| 14 | + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region |
| 15 | + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' |
| 16 | +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. |
| 17 | +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. |
| 18 | +references: |
| 19 | +- https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ |
| 20 | +- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ |
| 21 | +- https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html |
| 22 | +drilldown_searches: |
| 23 | +- name: View the detection results for - "$user$" |
| 24 | + search: '%original_detection_search% | search user = "$user$"' |
| 25 | + earliest_offset: $info_min_time$ |
| 26 | + latest_offset: $info_max_time$ |
| 27 | +- name: View risk events for the last 7 days for - "$user$" |
| 28 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 29 | + earliest_offset: $info_min_time$ |
| 30 | + latest_offset: $info_max_time$ |
| 31 | +tags: |
| 32 | + analytic_story: |
| 33 | + - AWS IAM Privilege Escalation |
| 34 | + asset_type: AWS Account |
| 35 | + confidence: 70 |
| 36 | + impact: 40 |
| 37 | + message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name. |
| 38 | + mitre_attack_id: |
| 39 | + - T1580 |
| 40 | + - T1110 |
| 41 | + observable: |
| 42 | + - name: src_ip |
| 43 | + type: IP Address |
| 44 | + role: |
| 45 | + - Attacker |
| 46 | + - name: user |
| 47 | + type: User |
| 48 | + role: |
| 49 | + - Victim |
| 50 | + product: |
| 51 | + - Splunk Enterprise |
| 52 | + - Splunk Enterprise Security |
| 53 | + - Splunk Cloud |
| 54 | + required_fields: |
| 55 | + - _time |
| 56 | + - api.operation |
| 57 | + - actor.user.uid |
| 58 | + - src_endpoint.ip |
| 59 | + - cloud.region |
| 60 | + risk_score: 28 |
| 61 | + security_domain: access |
| 62 | +tests: |
| 63 | +- name: True Positive Test |
| 64 | + attack_data: |
| 65 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json |
| 66 | + sourcetype: aws:asl |
| 67 | + source: aws_asl |
0 commit comments