Merge branch 'main' into deprecatemac

DefSecSentinel · web-flow · commit 9fb2a374a779 · 2025-04-21T11:09:48.000-05:00
diff --git a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml
@@ -0,0 +1,89 @@
+[metadata]
+creation_date = "2025/04/11"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/04/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the usage of the AWS CLI with a user agent string containing `distrib#kali`, which suggests the request
+was made from a Kali Linux distribution. This may indicate offensive security tooling or unauthorized use of the AWS CLI
+from a potentially adversarial environment.
+"""
+false_positives = [
+    """
+    While rare, legitimate users or red teamers may use Kali Linux for security assessments. Confirm the identity of the
+    user, their purpose, and whether the activity was authorized.
+    """,
+]
+from = "now-9m"
+index = ["logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS CLI with Kali Linux Fingerprint Identified"
+note = """## Triage and Analysis
+
+### Investigating AWS CLI with Kali Linux Fingerprint Identified
+
+The `user_agent.original` field in AWS CloudTrail logs reveals the operating system and toolchain used to make API calls. The substring `distrib#kali` strongly implies the use of Kali Linux, a common OS used by offensive security professionals and adversaries.
+
+#### Possible Investigation Steps
+
+- Identify the User: Check `user.name`, `user.arn`, and `aws.cloudtrail.user_identity.*` to determine which IAM identity was used.
+- Review Access Pattern: Correlate API calls from this user agent with sensitive actions such as `PutObject`, `CreateUser`, `AttachUserPolicy`, etc.
+- Investigate Source IP: Examine whether the request originated from an expected network or a suspicious VPN or cloud provider address.
+- Check for Initial Access: Look for session tokens being issued (e.g., `GetSessionToken`) or reused (`AssumeRole`) prior to this event.
+
+### False Positive Analysis
+
+- Rare but possible in security assessments or internal red teaming. Validate the action context (user, IP, time of day, etc).
+
+### Response and Remediation
+
+- Revoke Credentials: If unauthorized, revoke keys or sessions immediately.
+- Harden IAM Policies: Restrict sensitive IAM privileges, especially if used by CI/CD or automation roles.
+- Alert on Repeat Usage: Add recurring monitoring for suspicious user agents including `kali`, `curl`, or known toolkits.
+"""
+references = [
+    "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html",
+    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
+]
+risk_score = 47
+rule_id = "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS CloudTrail",
+    "Tactic: Initial Access",
+    "Use Case: Cloud Threat Detection",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail" and user_agent.original: (aws-cli*distrib#kali* or Boto3*distrib#kali*)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml
@@ -0,0 +1,92 @@
+[metadata]
+creation_date = "2025/04/11"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/04/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to register or enable an IAM Virtual MFA device using temporary credentials (access keys
+starting with 'ASIA'). This may indicate an adversary attempting to escalate privileges or establish persistence using
+stolen session tokens.
+"""
+false_positives = [
+    """
+    Legitimate users or automation tools may register MFA devices using temporary session credentials, especially in
+    CI/CD or administrative workflows. Validate the source IP, user agent, and context of the registration.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS IAM Virtual MFA Device Registration Attempt with Session Token"
+note = """## Triage and Analysis
+
+### Investigating AWS IAM Virtual MFA Device Registration Attempt with Session Token
+
+AWS temporary security credentials that begin with `ASIA` indicate they are session tokens. An attempt to create or enable a Virtual MFA device using such credentials is uncommon and may indicate malicious activity.
+
+#### Possible Investigation Steps
+
+- **Identify the User**: Check `user.name`, `user.arn`, and `aws.cloudtrail.user_identity.*` fields to determine which IAM entity made the request.
+- **Check for Prior Reconnaissance or Access**: Correlate this event with any prior calls to `GetSessionToken`, `GetCallerIdentity`, or `ListUsers` to see if an adversary was enumerating IAM users.
+- **Source Context**: Review `source.ip`, `user_agent`, and `event.origin` to determine whether this came from a legitimate device or a suspicious endpoint (e.g., Kali, Mythic, unknown VPN).
+- **Validate MFA Setup**: Look for follow-up attempts to call `sts:get-session-token` or `iam:EnableMFADevice` using this same session.
+
+### False Positive Analysis
+
+- This may occur if an admin or automation tool is legitimately setting up a new MFA device using temporary credentials.
+- Review the IP, agent, and context to differentiate expected automation from unauthorized access.
+
+### Response and Remediation
+
+- **Revoke Credentials**: If unauthorized, revoke the access keys or terminate the session.
+- **Reset MFA and Passwords**: Rotate credentials for the affected IAM user.
+- **Review IAM Policies**: Limit permissions to register MFA devices to trusted roles only.
+- **Enable CloudTrail Alerts**: Monitor IAM changes more broadly with CloudTrail-based alerts.
+"""
+references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"]
+risk_score = 47
+rule_id = "e4feea34-3b62-4c83-b77f-018fbef48c00"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS CloudTrail",
+    "Data Source: AWS IAM",
+    "Tactic: Persistence",
+    "Use Case: Identity and Access Audit",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+  and event.provider: "iam.amazonaws.com"
+  and event.action: ("CreateVirtualMFADevice" or "EnableMFADevice")
+  and aws.cloudtrail.user_identity.access_key_id: ASIA*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.005"
+name = "Device Registration"
+reference = "https://attack.mitre.org/techniques/T1098/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
