panther-labs · ben-githubs · Jan 20, 2025 · Jan 20, 2025 · Jan 21, 2025
@@ -142,10 +142,12 @@ PackDefinition:
     - AWS.WAF.WebACLHasAssociatedResources
     # Other rules
     - AWS.CloudTrail.Account.Discovery
+    - AWS.CloudTrail.AttemptToLeaveOrg
     - AWS.CloudTrail.CloudWatchLogs
     - AWS.CloudTrail.LogEncryption
     - AWS.CloudTrail.LogValidation
     - AWS.CloudTrail.S3Bucket.AccessLogging
+    - AWS.CloudTrail.SES.CheckIdentityVerifications
     - AWS.CMK.KeyRotation
     - AWS.DynamoDB.TableTTLEnabled
     - AWS.EC2.Vulnerable.XZ.Image.Launched
@@ -174,6 +176,7 @@ PackDefinition:
     - VPCFlow.Port.Scanning
     # Correlation Rules
     - AWS.Privilege.Escalation.Via.User.Compromise
+    - AWS.CloudTrail.SES.SESEnumeration
     - AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP
     - AWS.User.Takeover.Via.Password.Reset
     # Signal Rules
@@ -182,6 +185,9 @@ PackDefinition:
     - AWS.CloudTrail.UserAccessKeyAuth
     - AWS.CloudTrail.LoginProfileCreatedOrModified
     - AWS.Console.Login
+    - AWS.CloudTrail.SES.CheckSESSendingEnabled
+    - AWS.CloudTrail.SES.CheckSendQuota
+    - AWS.CloudTrail.SES.ListIdentities
     - Retrieve.SSO.access.token
     - Sign-in.with.AWS.CLI.prompt
     # Queries

@@ -0,0 +1,26 @@
+from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name
+from panther_core import PantherEvent
+
+
+def rule(event: PantherEvent) -> bool:
+    return event.get("eventName") == "LeaveOrganization"
+
+
+def title(event: PantherEvent) -> str:
+    account_name = lookup_aws_account_name(event.get("recipientAccountId"))
+    actor = event.udm("actor_user")
+    # Return a more informative message if the attempt was unsuccessful
+    if not aws_cloudtrail_success(event):
+        return f"Failed attempt to remove {account_name} from your AWS organization by {actor}"
+    return f"Account {account_name} has been removed from your AWS organization by {actor}"
+
+
+def severity(event: PantherEvent) -> str:
+    # Downgrade to HIGH if attempt is unsuccessful
+    if not aws_cloudtrail_success(event):
+        return "HIGH"
+    return "DEFAULT"
+
+
+def alert_context(event: PantherEvent) -> dict:
+    return aws_rule_context(event)
@@ -0,0 +1,80 @@
+AnalysisType: rule
+Filename: aws_cloudtrail_attempt_to_leave_org.py
+RuleID: "AWS.CloudTrail.AttemptToLeaveOrg"
+DisplayName: AWS CloudTrail Attempt To Leave Org
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Severity: Critical
+Reports:
+  MITRE ATT&CK:
+    - TA0005:T1562.008 # Defense Evasion: Impair Defenses - Disable or Modify Cloud Logs
+    - TA0005:T1666 # Defense Evasion: Modify Cloud Resource Hierarchy
+Description: >
+  Detects when an actor attempts to remove an AWS account from an Organization. Security
+  configurations are often defined at the organizational level. Leaving the organization can
+  disrupt or totally shut down these controls.
+Reference: >
+  https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave/
+Runbook: >
+  Determine if the attempt was successful. Monitor and potentially suspect the user account which 
+  attempted the action. Determine if the root account is compromised.
+SummaryAttributes:
+  - p_any_ip_addresses
+  - p_any_aws_account_ids
+Tags:
+  - AWS CloudTrail
+  - Defense Evasion
+  - Impair Defenses
+  - Disable or Modify Cloud Logs
+  - Modify Cloud Resource Hierarchy
+Tests:
+  - Name: Failed Attempt to Leave Org
+    ExpectedResult: true
+    Log:
+      {
+        "p_event_time": "2025-01-20 15:59:33.000000000",
+        "p_log_type": "AWS.CloudTrail",
+        "p_parse_time": "2025-01-20 16:05:54.322564138",
+        "awsRegion": "us-east-1",
+        "errorCode": "AccessDenied",
+        "errorMessage": "User: arn:aws:sts::111122223333:assumed-role/SampleRole/SampleSession is not authorized to perform: organizations:LeaveOrganization on resource: * because no identity-based policy allows the organizations:LeaveOrganization action",
+        "eventCategory": "Management",
+        "eventID": "f52c1358-4ddb-4453-a676-3f4dbc64d713",
+        "eventName": "LeaveOrganization",
+        "eventSource": "organizations.amazonaws.com",
+        "eventTime": "2025-01-20 15:59:33.000000000",
+        "eventType": "AwsApiCall",
+        "eventVersion": "1.09",
+        "managementEvent": true,
+        "readOnly": false,
+        "recipientAccountId": "111122223333",
+        "requestID": "67dce4b9-c7d1-4c91-a686-d34bbd5365eb",
+        "sourceIPAddress": "1.2.3.4",
+        "tlsDetails": {
+          "cipherSuite": "TLS_AES_128_GCM_SHA256",
+          "clientProvidedHostHeader": "organizations.us-east-1.amazonaws.com",
+          "tlsVersion": "TLSv1.3"
+        },
+        "userAgent": "example-user-agent",
+        "userIdentity": {
+          "accessKeyId": "SAMPLE_ACCESS_KEY",
+          "accountId": "111122223333",
+          "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/SampleSession",
+          "principalId": "SAMPLE_PRINCIPAL_ID:SampleSession",
+          "sessionContext": {
+            "attributes": {
+              "creationDate": "2025-01-20T15:59:30Z",
+              "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+              "accountId": "111122223333",
+              "arn": "arn:aws:iam::111122223333:role/SampleRole",
+              "principalId": "SAMPLE_PRINCIPAL_ID",
+              "type": "Role",
+              "userName": "SampleRole"
+            }
+          },
+          "type": "AssumedRole"
+        }
+      }
@@ -0,0 +1,12 @@
+from panther_aws_helpers import aws_rule_context
+from panther_core import PantherEvent
+
+
+def rule(event: PantherEvent) -> bool:
+    return event.get("eventName") == "GetIdentityVerificationAttributes"
+
+
+def alert_context(event: PantherEvent) -> dict:
+    context = aws_rule_context(event)
+    context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}"
+    return context
@@ -0,0 +1,71 @@
+AnalysisType: rule
+Filename: aws_cloudtrail_ses_check_identity_verifications.py
+RuleID: "AWS.CloudTrail.SES.CheckIdentityVerifications"
+DisplayName: AWS CloudTrail SES Check Identity Verifications
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Severity: Info
+CreateAlert: false
+Reference: >
+  https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/
+Tags:
+  - AWS CloudTrail
+Tests:
+  - Name: GetIdentityVerificationStatus Event
+    ExpectedResult: true
+    Log:
+      {
+        "p_event_time": "2025-01-20 16:52:14.000000000",
+        "p_log_type": "AWS.CloudTrail",
+        "p_parse_time": "2025-01-20 17:00:54.142940079",
+        "additionalEventData": {
+          "SignatureVersion": "4"
+        },
+        "awsRegion": "us-west-2",
+        "eventCategory": "Management",
+        "eventID": "05197e93-992f-4476-899a-a6f53c9a462c",
+        "eventName": "GetIdentityVerificationAttributes",
+        "eventSource": "ses.amazonaws.com",
+        "eventTime": "2025-01-20 16:52:14.000000000",
+        "eventType": "AwsApiCall",
+        "eventVersion": "1.08",
+        "managementEvent": true,
+        "readOnly": true,
+        "recipientAccountId": "111122223333",
+        "requestID": "e3b6e034-97ce-4d43-a7d2-1e718f3ebf32",
+        "requestParameters": {
+          "identities": [
+            "acme.com",
+            "[email protected]",
+            "[email protected]",
+          ]
+        },
+        "sourceIPAddress": "1.2.3.4",
+        "tlsDetails": {
+          "cipherSuite": "TLS_AES_128_GCM_SHA256",
+          "clientProvidedHostHeader": "email.us-west-2.amazonaws.com",
+          "tlsVersion": "TLSv1.3"
+        },
+        "userAgent": "example-user-agent",
+        "userIdentity": {
+          "accessKeyId": "SAMPLE_ACCESS_KEY",
+          "accountId": "111122223333",
+          "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
+          "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
+          "sessionContext": {
+            "attributes": {
+              "creationDate": "2025-01-20T15:58:59Z",
+              "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+              "accountId": "111122223333",
+              "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
+              "principalId": "SAMPLE_PRINCIPAL_ID",
+              "type": "Role",
+              "userName": "SampleRole"
+            }
+          },
+          "type": "AssumedRole"
+        }
+      }
@@ -0,0 +1,12 @@
+from panther_aws_helpers import aws_rule_context
+from panther_core import PantherEvent
+
+
+def rule(event: PantherEvent) -> bool:
+    return event.get("eventName") == "GetSendQuota"
+
+
+def alert_context(event: PantherEvent) -> dict:
+    context = aws_rule_context(event)
+    context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}"
+    return context
@@ -0,0 +1,67 @@
+AnalysisType: rule
+Filename: aws_cloudtrail_ses_check_send_quota.py
+RuleID: "AWS.CloudTrail.SES.CheckSendQuota"
+DisplayName: AWS CloudTrail SES Check Send Quota
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Severity: Info
+CreateAlert: false
+Description: >
+  Detect when someone checks how many emails can be delivered via SES 
+Reference: >
+  https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/
+Tags:
+  - AWS CloudTrail
+  - SES
+Tests:
+  - Name: GetSendQuota Event
+    ExpectedResult: true
+    Log:
+      {
+        "p_event_time": "2025-01-20 16:52:14.000000000",
+        "p_log_type": "AWS.CloudTrail",
+        "p_parse_time": "2025-01-20 17:00:54.217261818",
+        "additionalEventData": {
+          "SignatureVersion": "4"
+        },
+        "awsRegion": "us-west-2",
+        "eventCategory": "Management",
+        "eventID": "141c7b0f-3ec3-40bd-b551-5a33d1a794b4",
+        "eventName": "GetSendQuota",
+        "eventSource": "ses.amazonaws.com",
+        "eventTime": "2025-01-20 16:52:14.000000000",
+        "eventType": "AwsApiCall",
+        "eventVersion": "1.08",
+        "managementEvent": true,
+        "readOnly": true,
+        "recipientAccountId": "111122223333",
+        "requestID": "6495a102-3900-47fc-a8b4-88e4b4e56442",
+        "sourceIPAddress": "1.2.3.4",
+        "tlsDetails": {
+          "cipherSuite": "TLS_AES_128_GCM_SHA256",
+          "clientProvidedHostHeader": "email.us-west-2.amazonaws.com",
+          "tlsVersion": "TLSv1.3"
+        },
+        "userAgent": "example-user-agent",
+        "userIdentity": {
+          "accessKeyId": "SAMPLE_ACCESS_KEY",
+          "accountId": "111122223333",
+          "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
+          "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
+          "sessionContext": {
+            "attributes": {
+              "creationDate": "2025-01-20T15:58:59Z",
+              "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+              "accountId": "111122223333",
+              "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
+              "principalId": "SAMPLE_PRINCIPAL_ID",
+              "type": "Role",
+              "userName": "SampleRole"
+            }
+          },
+          "type": "AssumedRole"
+        }
+      }
@@ -0,0 +1,12 @@
+from panther_aws_helpers import aws_rule_context
+from panther_core import PantherEvent
+
+
+def rule(event: PantherEvent) -> bool:
+    return event.get("eventName") == "GetAccountSendingEnabled"
+
+
+def alert_context(event: PantherEvent) -> dict:
+    context = aws_rule_context(event)
+    context["accountRegion"] = f"{event.get('recipientAccountId')}_{event.get('eventRegion')}"
+    return context
@@ -0,0 +1,64 @@
+AnalysisType: rule
+Filename: aws_cloudtrail_ses_check_ses_sending_enabled.py
+RuleID: "AWS.CloudTrail.SES.CheckSESSendingEnabled"
+DisplayName: AWS CloudTrail SES Check SES Sending Enabled
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Severity: Info
+CreateAlert: false
+Description: >
+  Detect when a user inquires whether SES Sending is enabled.
+Reference: >
+  https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ses-enumerate/
+Tags:
+  - AWS CloudTrail
+  - SES
+Tests:
+  - Name: CheckSendingEnabled Event
+    ExpectedResult: true
+    Log:
+      {
+        "p_event_time": "2025-01-20 16:52:14.000000000",
+        "p_log_type": "AWS.CloudTrail",
+        "p_parse_time": "2025-01-20 17:00:54.143061055",
+        "awsRegion": "us-west-2",
+        "eventCategory": "Management",
+        "eventID": "910326f5-5c2c-49b4-a963-702280f29208",
+        "eventName": "GetAccountSendingEnabled",
+        "eventSource": "ses.amazonaws.com",
+        "eventTime": "2025-01-20 16:52:14.000000000",
+        "eventType": "AwsApiCall",
+        "eventVersion": "1.08",
+        "managementEvent": true,
+        "readOnly": true,
+        "recipientAccountId": "111122223333",
+        "requestID": "b88b794d-b419-47b0-9805-5af1de78a1e7",
+        "sourceIPAddress": "1.2.3.4",
+        "tlsDetails": {
+          "cipherSuite": "TLS_AES_128_GCM_SHA256",
+          "clientProvidedHostHeader": "email.us-west-2.amazonaws.com",
+          "tlsVersion": "TLSv1.3"
+        },
+        "userAgent": "example-user-agent",
+        "userIdentity": {
+          "accessKeyId": "SAMPLE_ACCESS_KEY",
+          "accountId": "111122223333",
+          "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
+          "principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
+          "sessionContext": {
+            "attributes": {
+              "creationDate": "2025-01-20T15:58:59Z",
+              "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+              "accountId": "111122223333",
+              "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
+              "principalId": "SAMPLE_PRINCIPAL_ID",
+              "type": "Role",
+              "userName": "SampleRole"
+            }
+          },
+          "type": "AssumedRole"
+        }
+      }