From 148cb529bdcfdd2bb50ddcd173567c2371847d01 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 20 Jan 2025 10:22:11 -0600 Subject: [PATCH 1/3] add rule: AWS.CloudTrail.AttemptToLeaveOrg --- .../aws_cloudtrail_attempt_to_leave_org.py | 26 ++++++ .../aws_cloudtrail_attempt_to_leave_org.yml | 80 +++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.py new file mode 100644 index 000000000..a104708ef --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.py @@ -0,0 +1,26 @@ +from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name +from panther_core import PantherEvent + + +def rule(event: PantherEvent) -> bool: + return event.get("eventName") == "LeaveOrganization" + + +def title(event: PantherEvent) -> str: + account_name = lookup_aws_account_name(event.get("recipientAccountId")) + actor = event.udm("actor_user") + # Return a more informative message if the attempt was unsuccessful + if not aws_cloudtrail_success(event): + return f"Failed attempt to remove {account_name} from your AWS organization by {actor}" + return f"Account {account_name} has been removed from your AWS organization by {actor}" + + +def severity(event: PantherEvent) -> str: + # Downgrade to HIGH if attempt is unsuccessful + if not aws_cloudtrail_success(event): + return "HIGH" + return "DEFAULT" + + +def alert_context(event: PantherEvent) -> dict: + return aws_rule_context(event) diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml new file mode 100644 index 000000000..594e174cb --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml @@ -0,0 +1,80 @@ +AnalysisType: rule +Filename: aws_cloudtrail_attempt_to_leave_org.py +RuleID: "AWS.CloudTrail.AttemptToLeaveOrg" +DisplayName: AWS CloudTrail Attempt To Leave Org +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Critical +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Defense Evasion: Impair Defenses - Disable or Modify Cloud Logs + - TA0005:T1666 # Defense Evasion: Modify Cloud Resource Hierarchy +Description: > + Detects when an actor attempts to remove an AWS account from an Organization. Security + configurations are often defined at the organizational level. Leaving the organization can + disrupt or totally shut down these controls. +Reference: > + https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave/ +Runbook: > + Determine if the attempt was successful. Monitor and potentially suspect the user account which + attempted the action. Determine if the root account is compromised. +SummaryAttributes: + - p_any_ip_addresses + - p_any_aws_account_ids +Tags: + - AWS CloudTrail + - Defense Evasion + - Impair Defenses + - Disable or Modify Cloud Logs + - Modify Cloud Resource Hierarchy +Tests: + - Name: Failed Attempt to Leave Org + ExpectedResult: true + Log: + { + "p_event_time": "2025-01-20 15:59:33.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2025-01-20 16:05:54.322564138", + "awsRegion": "us-east-1", + "errorCode": "AccessDenied", + "errorMessage": "User: arn:aws:sts::111122223333:assumed-role/SampleRole/SampleSession is not authorized to perform: organizations:LeaveOrganization on resource: * because no identity-based policy allows the organizations:LeaveOrganization action", + "eventCategory": "Management", + "eventID": "f52c1358-4ddb-4453-a676-3f4dbc64d713", + "eventName": "LeaveOrganization", + "eventSource": "organizations.amazonaws.com", + "eventTime": "2025-01-20 15:59:33.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.09", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "67dce4b9-c7d1-4c91-a686-d34bbd5365eb", + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "example-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/SampleSession", + "principalId": "SAMPLE_PRINCIPAL_ID:SampleSession", + "sessionContext": { + "attributes": { + "creationDate": "2025-01-20T15:59:30Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file From a2d32b8183d7edf0df8a01eb59f0c3de9d4de9cf Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 20 Jan 2025 13:55:19 -0600 Subject: [PATCH 2/3] ass rule: AWS.CloudTrail.SES.SESEnumeration (and assoc. signals) --- ...dtrail_ses_check_identity_verifications.py | 12 +++ ...trail_ses_check_identity_verifications.yml | 71 ++++++++++++++ .../aws_cloudtrail_ses_check_send_quota.py | 12 +++ .../aws_cloudtrail_ses_check_send_quota.yml | 67 +++++++++++++ ...loudtrail_ses_check_ses_sending_enabled.py | 12 +++ ...oudtrail_ses_check_ses_sending_enabled.yml | 64 ++++++++++++ .../aws_cloudtrail_ses_enumeration.yml | 98 +++++++++++++++++++ .../aws_cloudtrail_ses_list_identities.py | 12 +++ .../aws_cloudtrail_ses_list_identities.yml | 65 ++++++++++++ 9 files changed, 413 insertions(+) create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.py new file mode 100644 index 000000000..26ad27d48 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.py @@ -0,0 +1,12 @@ +from panther_aws_helpers import aws_rule_context +from panther_core import PantherEvent + + +def rule(event: PantherEvent) -> bool: + return event.get("eventName") == "GetIdentityVerificationAttributes" + + +def alert_context(event: PantherEvent) -> dict: + context = aws_rule_context(event) + context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}" + return context diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml new file mode 100644 index 000000000..f1206b38b --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml @@ -0,0 +1,71 @@ +AnalysisType: rule +Filename: aws_cloudtrail_ses_check_identity_verifications.py +RuleID: "AWS.CloudTrail.SES.CheckIdentityVerifications" +DisplayName: AWS CloudTrail SES Check Identity Verifications +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Info +CreateAlert: false +Reference: > + https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/ +Tags: + - AWS CloudTrail +Tests: + - Name: GetIdentityVerificationStatus Event + ExpectedResult: true + Log: + { + "p_event_time": "2025-01-20 16:52:14.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2025-01-20 17:00:54.142940079", + "additionalEventData": { + "SignatureVersion": "4" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "05197e93-992f-4476-899a-a6f53c9a462c", + "eventName": "GetIdentityVerificationAttributes", + "eventSource": "ses.amazonaws.com", + "eventTime": "2025-01-20 16:52:14.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "e3b6e034-97ce-4d43-a7d2-1e718f3ebf32", + "requestParameters": { + "identities": [ + "acme.com", + "bobson.dugnutt@acme.com", + "sleve.mcdichael@yahoo.com", + ] + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "email.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "example-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt", + "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt", + "sessionContext": { + "attributes": { + "creationDate": "2025-01-20T15:58:59Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.py new file mode 100644 index 000000000..0eb27aeb9 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.py @@ -0,0 +1,12 @@ +from panther_aws_helpers import aws_rule_context +from panther_core import PantherEvent + + +def rule(event: PantherEvent) -> bool: + return event.get("eventName") == "GetSendQuota" + + +def alert_context(event: PantherEvent) -> dict: + context = aws_rule_context(event) + context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}" + return context diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml new file mode 100644 index 000000000..0cb747476 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml @@ -0,0 +1,67 @@ +AnalysisType: rule +Filename: aws_cloudtrail_ses_check_send_quota.py +RuleID: "AWS.CloudTrail.SES.CheckSendQuota" +DisplayName: AWS CloudTrail SES Check Send Quota +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Info +CreateAlert: false +Description: > + Detect when someone checks how many emails can be delivered via SES +Reference: > + https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/ +Tags: + - AWS CloudTrail + - SES +Tests: + - Name: GetSendQuota Event + ExpectedResult: true + Log: + { + "p_event_time": "2025-01-20 16:52:14.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2025-01-20 17:00:54.217261818", + "additionalEventData": { + "SignatureVersion": "4" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "141c7b0f-3ec3-40bd-b551-5a33d1a794b4", + "eventName": "GetSendQuota", + "eventSource": "ses.amazonaws.com", + "eventTime": "2025-01-20 16:52:14.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "6495a102-3900-47fc-a8b4-88e4b4e56442", + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "email.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "example-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt", + "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt", + "sessionContext": { + "attributes": { + "creationDate": "2025-01-20T15:58:59Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.py new file mode 100644 index 000000000..4e6cb1b1c --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.py @@ -0,0 +1,12 @@ +from panther_aws_helpers import aws_rule_context +from panther_core import PantherEvent + + +def rule(event: PantherEvent) -> bool: + return event.get("eventName") == "GetAccountSendingEnabled" + + +def alert_context(event: PantherEvent) -> dict: + context = aws_rule_context(event) + context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}" + return context diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml new file mode 100644 index 000000000..048961685 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml @@ -0,0 +1,64 @@ +AnalysisType: rule +Filename: aws_cloudtrail_ses_check_ses_sending_enabled.py +RuleID: "AWS.CloudTrail.SES.CheckSESSendingEnabled" +DisplayName: AWS CloudTrail SES Check SES Sending Enabled +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Info +CreateAlert: false +Description: > + Detect when a user inquires whether SES Sending is enabled. +Reference: > + https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/ +Tags: + - AWS CloudTrail + - SES +Tests: + - Name: CheckSendingEnabled Event + ExpectedResult: true + Log: + { + "p_event_time": "2025-01-20 16:52:14.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2025-01-20 17:00:54.143061055", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "910326f5-5c2c-49b4-a963-702280f29208", + "eventName": "GetAccountSendingEnabled", + "eventSource": "ses.amazonaws.com", + "eventTime": "2025-01-20 16:52:14.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "b88b794d-b419-47b0-9805-5af1de78a1e7", + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "email.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "example-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt", + "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt", + "sessionContext": { + "attributes": { + "creationDate": "2025-01-20T15:58:59Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml new file mode 100644 index 000000000..03a54d825 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml @@ -0,0 +1,98 @@ +AnalysisType: correlation_rule +RuleID: AWS.CloudTrail.SES.SESEnumeration +DisplayName: AWS CloudTrail SES Enumeration +Enabled: true +Severity: Medium +Detection: + - Group: + - ID: CheckSendingEnabled + RuleID: AWS.CloudTrail.SES.CheckSESSendingEnabled + - ID: CheckSendQuota + RuleID: AWS.CloudTrail.SES.CheckSendQuota + - ID: ListIdentities + RuleID: AWS.CloudTrail.SES.ListIdentities + - ID: CheckVerifications + RuleID: AWS.CloudTrail.SES.CheckIdentityVerifications + MatchCriteria: + accountRegion: + - GroupID: CheckSendingEnabled + Match: p_alert_context.accountRegion + - GroupID: CheckSendQuota + Match: p_alert_context.accountRegion + - GroupID: ListIdentities + Match: p_alert_context.accountRegion + - GroupID: CheckVerifications + Match: p_alert_context.accountRegion + LookbackWindowMinutes: 2160 + Schedule: + RateMinutes: 1440 + TimeoutMinutes: 2 +Reference: + https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/ +Reports: + MITRE ATT&CK: + - TA0007:T1580 +SummaryAttributes: + - p_any_aws_arns + - p_any_ip_addresses + - p_any_emails + - p_any_actor_ids +Tags: + - AWS + - SES + - Discovery + - Cloud Service Discovery +Tests: + - Name: All Events Happen + ExpectedResult: true + RuleOutputs: + - ID: CheckSendingEnabled + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [0] + - ID: CheckSendQuota + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [1] + - ID: ListIdentities + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [2] + - ID: CheckVerifications + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [3] + - Name: Check Verification Step Missing + ExpectedResult: false + RuleOutputs: + - ID: CheckSendingEnabled + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [0] + - ID: CheckSendQuota + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [1] + - ID: ListIdentities + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [2] + - Name: Region Mismatch + ExpectedResult: false + RuleOutputs: + - ID: CheckSendingEnabled + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-1': [0] + - ID: CheckSendQuota + Matches: + p_alert_context.accountRegion: + '111122223333_us-east-2': [1] + - ID: ListIdentities + Matches: + p_alert_context.accountRegion: + '111122223333_us-west-1': [2] + - ID: CheckVerifications + Matches: + p_alert_context.accountRegion: + '111122223333_us-west-2': [3] diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.py new file mode 100644 index 000000000..e1af8d7bc --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.py @@ -0,0 +1,12 @@ +from panther_aws_helpers import aws_rule_context +from panther_core import PantherEvent + + +def rule(event: PantherEvent) -> bool: + return event.get("eventName") == "ListIdentities" + + +def alert_context(event: PantherEvent) -> dict: + context = aws_rule_context(event) + context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}" + return context diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml new file mode 100644 index 000000000..7193bae8f --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml @@ -0,0 +1,65 @@ +AnalysisType: rule +Filename: aws_cloudtrail_ses_list_identities.py +RuleID: "AWS.CloudTrail.SES.ListIdentities" +DisplayName: AWS CloudTrail SES List Identities +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Info +CreateAlert: false +Reference: > + https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/ +Tags: + - AWS CloudTrail + - SES +Tests: + - Name: ListIdentities Event + ExpectedResult: true + Log: + { + "p_event_time": "2025-01-20 16:52:14.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2025-01-20 17:00:54.217385551", + "additionalEventData": { + "SignatureVersion": "4" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "7c41bbec-52c5-49cb-80aa-88f295d490fd", + "eventName": "ListIdentities", + "eventSource": "ses.amazonaws.com", + "eventTime": "2025-01-20 16:52:14.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "7bdf32e1-6e53-4752-b745-2cb37788a23c", + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "email.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "example-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt", + "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt", + "sessionContext": { + "attributes": { + "creationDate": "2025-01-20T15:58:59Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file From 1aa78ed6bc6f6f4c3de2bb83f5362822774cd9ad Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Tue, 21 Jan 2025 14:47:34 -0600 Subject: [PATCH 3/3] update packs --- packs/aws.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packs/aws.yml b/packs/aws.yml index 53b8a9962..e360a6a6f 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -142,10 +142,12 @@ PackDefinition: - AWS.WAF.WebACLHasAssociatedResources # Other rules - AWS.CloudTrail.Account.Discovery + - AWS.CloudTrail.AttemptToLeaveOrg - AWS.CloudTrail.CloudWatchLogs - AWS.CloudTrail.LogEncryption - AWS.CloudTrail.LogValidation - AWS.CloudTrail.S3Bucket.AccessLogging + - AWS.CloudTrail.SES.CheckIdentityVerifications - AWS.CMK.KeyRotation - AWS.DynamoDB.TableTTLEnabled - AWS.EC2.Vulnerable.XZ.Image.Launched @@ -174,6 +176,7 @@ PackDefinition: - VPCFlow.Port.Scanning # Correlation Rules - AWS.Privilege.Escalation.Via.User.Compromise + - AWS.CloudTrail.SES.SESEnumeration - AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP - AWS.User.Takeover.Via.Password.Reset # Signal Rules @@ -182,6 +185,9 @@ PackDefinition: - AWS.CloudTrail.UserAccessKeyAuth - AWS.CloudTrail.LoginProfileCreatedOrModified - AWS.Console.Login + - AWS.CloudTrail.SES.CheckSESSendingEnabled + - AWS.CloudTrail.SES.CheckSendQuota + - AWS.CloudTrail.SES.ListIdentities - Retrieve.SSO.access.token - Sign-in.with.AWS.CLI.prompt # Queries