- Notifications
You must be signed in to change notification settings - Fork 603
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS #4277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits Select commit Hold shift + click to select a range
d70eed7 new rule 'AWS IAM Login Profile Added for Root'
terrancedejesus 5e9c46e added min-stack
terrancedejesus 1e3485a linted; fixed rule schema errors
terrancedejesus 4374128 Merge branch 'main' into new-rule-create-login-profile-root
terrancedejesus 8b29908 Merge branch 'main' into new-rule-create-login-profile-root
shashank-elastic File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
151 changes: 151 additions & 0 deletions 151 rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,151 @@ | ||
| [metadata] | ||
| creation_date = "2024/12/02" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| min_stack_comments = "ES|QL available in technical preview." | ||
| min_stack_version = "8.13.0" | ||
| updated_date = "2024/12/02" | ||
| | ||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary | ||
| access to the root account, may add a login profile to the root user account to maintain access even if the original | ||
| access key is rotated or disabled. | ||
| """ | ||
| from = "now-9m" | ||
| language = "esql" | ||
| license = "Elastic License v2" | ||
| name = "AWS IAM Login Profile Added for Root" | ||
| note = """ | ||
| ## Investigating AWS IAM Login Profile Added for Root | ||
| | ||
| This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment. | ||
| | ||
| ### Possible Investigation Steps | ||
| | ||
| - **Identify the Source and Context of the Action**: | ||
| - Examine the `source.address` field to identify the IP address from which the request originated. | ||
| - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region. | ||
| - Look at the `user_agent.original` field to identify the tool or browser used for this action. | ||
| - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity. | ||
| | ||
| - **Confirm Root User and Request Details**: | ||
| - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions. | ||
| - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions. | ||
| | ||
| - **Analyze the Login Profile Creation**: | ||
| - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile. | ||
| - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`. | ||
| - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse. | ||
| | ||
| - **Correlate with Other Events**: | ||
| - Investigate for related IAM activities, such as: | ||
| - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account. | ||
| - Unusual data access, privilege escalation, or management console logins. | ||
| - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment. | ||
| | ||
| - **Evaluate Policy and Permissions**: | ||
| - Verify the current security policies for the root account: | ||
| - Ensure password policies enforce complexity and rotation requirements. | ||
| - Check if MFA is enforced on the root account. | ||
| - Assess the broader IAM configuration for deviations from least privilege principles. | ||
| | ||
| ### False Positive Analysis | ||
| | ||
| - **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios. | ||
| | ||
| - **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes. | ||
| | ||
| ### Response and Remediation | ||
| | ||
| - **Immediate Access Review**: | ||
| - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized. | ||
| - Rotate or disable the credentials associated with the root account to prevent further abuse. | ||
| | ||
| - **Enhance Monitoring and Alerts**: | ||
| - Enable real-time monitoring and alerting for IAM actions involving the root account. | ||
| - Increase the logging verbosity for root account activities. | ||
| | ||
| - **Review and Update Security Policies**: | ||
| - Enforce MFA for all administrative actions, including root account usage. | ||
| - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary. | ||
| | ||
| - **Conduct Post-Incident Analysis**: | ||
| - Investigate how the credentials for the root account were compromised or misused. | ||
| - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring. | ||
| | ||
| ### Additional Resources | ||
| | ||
| - AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html). | ||
| """ | ||
| risk_score = 73 | ||
| rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce" | ||
| severity = "high" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS IAM", | ||
| "Use Case: Identity and Access Audit", | ||
| "Tactic: Persistence", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "esql" | ||
| | ||
| query = ''' | ||
| from logs-aws.cloudtrail* metadata _id, _version, _index | ||
| | where | ||
| // filter for CloudTrail logs from IAM | ||
| event.dataset == "aws.cloudtrail" | ||
| and event.provider == "iam.amazonaws.com" | ||
| | ||
| // filter for successful CreateLoginProfile API call | ||
| and event.action == "CreateLoginProfile" | ||
| and event.outcome == "success" | ||
| | ||
| // filter for Root member account | ||
| and aws.cloudtrail.user_identity.type == "Root" | ||
| | ||
| // filter for an access key existing which sources from AssumeRoot | ||
| and aws.cloudtrail.user_identity.access_key_id IS NOT NULL | ||
| | ||
| // filter on the request parameters not including UserName which assumes self-assignment | ||
| and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*" | ||
| | keep | ||
| @timestamp, | ||
| aws.cloudtrail.request_parameters, | ||
| aws.cloudtrail.response_elements, | ||
| aws.cloudtrail.user_identity.type, | ||
| aws.cloudtrail.user_identity.arn, | ||
| aws.cloudtrail.user_identity.access_key_id, | ||
| cloud.account.id, | ||
| event.action, | ||
| source.address | ||
| ''' | ||
| | ||
| | ||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1078" | ||
| name = "Valid Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1078.004" | ||
| name = "Cloud Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||
| | ||
| | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
| | ||
| | ||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
| | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.