cleanup

panther-labs · Jan 8, 2025 · eb43028 · eb43028
1 parent 069b9e8
commit eb43028
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 35 deletions.
diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets.py b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets.py
@@ -2,18 +2,14 @@
 
 
 def rule(event):
-    if event.get("eventName") == "GetSecretValue" and event.get("errorCode") == "AccessDenied":
+    if event.get("eventName") == "GetSecretValue":
         return True
     return False
 
 
-def dedup(event):
-    return event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-
-
 def title(event):
-    user = event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager"
+    user = event.udm("actor_user")
+    return f"[{user}] attempted to retrieve a large number of secrets from AWS Secrets Manager"
 
 
 def alert_context(event):

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.py b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.py
@@ -2,18 +2,16 @@
 
 
 def rule(event):
-    if event.get("eventName") == "BatchGetSecretValue" and event.get("errorCode") == "AccessDenied":
+    if event.get("eventName") == "BatchGetSecretValue":
         return True
     return False
 
 
-def dedup(event):
-    return event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-
-
 def title(event):
-    user = event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager"
+    user = event.udm("actor_user")
+    return (
+        f"[{user}] attempted to batch retrieve a large number of secrets from AWS Secrets Manager"
+    )
 
 
 def alert_context(event):

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.yml b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.yml
@@ -1,7 +1,7 @@
 AnalysisType: rule
 Filename: aws_secretsmanager_retrieve_secrets_batch.py
 RuleID: "AWS.SecretsManager.BatchRetrieveSecrets"
-DisplayName: "EC2 Secrets Manager Batch Retrieve Secrets"
+DisplayName: "AWS Secrets Manager Batch Retrieve Secrets"
 Enabled: true
 LogTypes:
   - AWS.CloudTrail

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.py b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.py
@@ -6,22 +6,21 @@ def rule(event):
         return False
 
     filters = event.deep_get("requestParameters", "filters", default=[])
-    for filter in filters:
-        if filter.get("key") != "tag-key":
+    for filt in filters:
+        if filt.get("key") != "tag-key":
             return False
-        if any(not value.startswith("!") for value in filter.get("values")):
+        if any(not value.startswith("!") for value in filt.get("values")):
             return False
 
     return True
 
 
-def dedup(event):
-    return event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-
-
 def title(event):
-    user = event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager"
+    user = event.udm("actor_user")
+    return (
+        f"[{user}] attempted to batch retrieve secrets from "
+        "AWS Secrets Manager with a catch-all filter"
+    )
 
 
 def alert_context(event):

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.yml b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.yml
@@ -1,7 +1,7 @@
 AnalysisType: rule
 Filename: aws_secretsmanager_retrieve_secrets_catchall.py
-RuleID: "AWS.SecretsManager.RetrieveSecrets"
-DisplayName: "EC2 Secrets Manager Retrieve Secrets"
+RuleID: "AWS.SecretsManager.BatchRetrieveSecretsCatchAll"
+DisplayName: "AWS Secrets Manager Batch Retrieve Secrets Catch-All"
 Enabled: true
 LogTypes:
   - AWS.CloudTrail

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.py b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.py
@@ -1,29 +1,25 @@
 from panther_aws_helpers import aws_rule_context
-from panther_detection_helpers import add_to_string_set
+from panther_detection_helpers.caching import add_to_string_set
 
 RULE_ID = "AWS.SecretsManager.RetrieveSecretsMultiRegion"
 UNIQUE_REGION_THRESHOLD = 5
 WITHIN_TIMEFRAME_MINUTES = 10
 
 
 def rule(event):
-    if event.get("eventName") != "GetSecretValueBatch":
+    if event.get("eventName") != "BatchGetSecretValue":
         return False
-    user = event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
+    user = event.udm("actor_user")
     key = f"{RULE_ID}-{user}"
     unique_regions = add_to_string_set(key, event.get("awsRegion"), WITHIN_TIMEFRAME_MINUTES * 60)
     if len(unique_regions) >= UNIQUE_REGION_THRESHOLD:
         return True
     return False
 
 
-def dedup(event):
-    return event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-
-
 def title(event):
-    user = event.deep_get("additionalEventData", "UserName", default="<NO_USER>")
-    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager"
+    user = event.udm("actor_user")
+    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager in multiple regions"
 
 
 def alert_context(event):

diff --git a/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.yml b/rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.yml
@@ -0,0 +1,51 @@
+AnalysisType: rule
+Filename: aws_secretsmanager_retrieve_secrets_catchall.py
+RuleID: "AWS.SecretsManager.RetrieveSecretsMultiRegion"
+DisplayName: "AWS Secrets Manager Retrieve Secrets Multi-Region"
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Tags:
+  - AWS
+  - Credential Access
+  - Stratus Red Team
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1552 # Credentials from Password Stores 
+Severity: Medium
+Description: >
+  An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). 
+  An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
+  This rule identifies BatchGetSecretValue events for multiple regions in a short period of time.
+Runbook: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html
+Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+Threshold: 1
+DedupPeriodMinutes: 60
+SummaryAttributes:
+  - eventName
+  - userAgent
+  - sourceIpAddress
+  - recipientAccountId
+  - p_any_aws_arns
+Tests:
+  - Name: BatchGetSecretValue Catch-All
+    ExpectedResult: true
+    Log: {
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventName": "BatchGetSecretValue",
+      "requestParameters": {
+        "filters": [
+          {
+            "key": "tag-key",
+            "values": [
+              "!tagKeyThatWillNeverExist"
+            ]
+          }
+        ]
+      },
+      "responseElements": null,
+      "readOnly": true,
+      "eventType": "AwsApiCall",
+      "managementEvent": true,
+      "recipientAccountId": "012345678901"
+    }