|
| 1 | +[metadata] |
| 2 | +creation_date = "2024/12/02" |
| 3 | +integration = ["aws"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "ES|QL available in technical preview." |
| 6 | +min_stack_version = "8.13.0" |
| 7 | +updated_date = "2024/12/02" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary |
| 13 | +access to the root account, may add a login profile to the root user account to maintain access even if the original |
| 14 | +access key is rotated or disabled. |
| 15 | +""" |
| 16 | +from = "now-9m" |
| 17 | +language = "esql" |
| 18 | +license = "Elastic License v2" |
| 19 | +name = "AWS IAM Login Profile Added for Root" |
| 20 | +note = """ |
| 21 | +## Investigating AWS IAM Login Profile Added for Root |
| 22 | +
|
| 23 | +This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment. |
| 24 | +
|
| 25 | +### Possible Investigation Steps |
| 26 | +
|
| 27 | +- **Identify the Source and Context of the Action**: |
| 28 | + - Examine the `source.address` field to identify the IP address from which the request originated. |
| 29 | + - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region. |
| 30 | + - Look at the `user_agent.original` field to identify the tool or browser used for this action. |
| 31 | + - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity. |
| 32 | +
|
| 33 | +- **Confirm Root User and Request Details**: |
| 34 | + - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions. |
| 35 | + - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions. |
| 36 | +
|
| 37 | +- **Analyze the Login Profile Creation**: |
| 38 | + - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile. |
| 39 | + - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`. |
| 40 | + - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse. |
| 41 | +
|
| 42 | +- **Correlate with Other Events**: |
| 43 | + - Investigate for related IAM activities, such as: |
| 44 | + - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account. |
| 45 | + - Unusual data access, privilege escalation, or management console logins. |
| 46 | + - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment. |
| 47 | +
|
| 48 | +- **Evaluate Policy and Permissions**: |
| 49 | + - Verify the current security policies for the root account: |
| 50 | + - Ensure password policies enforce complexity and rotation requirements. |
| 51 | + - Check if MFA is enforced on the root account. |
| 52 | + - Assess the broader IAM configuration for deviations from least privilege principles. |
| 53 | +
|
| 54 | +### False Positive Analysis |
| 55 | +
|
| 56 | +- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios. |
| 57 | +
|
| 58 | +- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes. |
| 59 | +
|
| 60 | +### Response and Remediation |
| 61 | +
|
| 62 | +- **Immediate Access Review**: |
| 63 | + - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized. |
| 64 | + - Rotate or disable the credentials associated with the root account to prevent further abuse. |
| 65 | +
|
| 66 | +- **Enhance Monitoring and Alerts**: |
| 67 | + - Enable real-time monitoring and alerting for IAM actions involving the root account. |
| 68 | + - Increase the logging verbosity for root account activities. |
| 69 | +
|
| 70 | +- **Review and Update Security Policies**: |
| 71 | + - Enforce MFA for all administrative actions, including root account usage. |
| 72 | + - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary. |
| 73 | +
|
| 74 | +- **Conduct Post-Incident Analysis**: |
| 75 | + - Investigate how the credentials for the root account were compromised or misused. |
| 76 | + - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring. |
| 77 | +
|
| 78 | +### Additional Resources |
| 79 | +
|
| 80 | +- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html). |
| 81 | +""" |
| 82 | +risk_score = 73 |
| 83 | +rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce" |
| 84 | +severity = "high" |
| 85 | +tags = [ |
| 86 | + "Domain: Cloud", |
| 87 | + "Data Source: AWS", |
| 88 | + "Data Source: Amazon Web Services", |
| 89 | + "Data Source: AWS IAM", |
| 90 | + "Use Case: Identity and Access Audit", |
| 91 | + "Tactic: Persistence", |
| 92 | + "Resources: Investigation Guide", |
| 93 | +] |
| 94 | +timestamp_override = "event.ingested" |
| 95 | +type = "esql" |
| 96 | + |
| 97 | +query = ''' |
| 98 | +from logs-aws.cloudtrail* metadata _id, _version, _index |
| 99 | +| where |
| 100 | + // filter for CloudTrail logs from IAM |
| 101 | + event.dataset == "aws.cloudtrail" |
| 102 | + and event.provider == "iam.amazonaws.com" |
| 103 | +
|
| 104 | + // filter for successful CreateLoginProfile API call |
| 105 | + and event.action == "CreateLoginProfile" |
| 106 | + and event.outcome == "success" |
| 107 | +
|
| 108 | + // filter for Root member account |
| 109 | + and aws.cloudtrail.user_identity.type == "Root" |
| 110 | +
|
| 111 | + // filter for an access key existing which sources from AssumeRoot |
| 112 | + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL |
| 113 | +
|
| 114 | + // filter on the request parameters not including UserName which assumes self-assignment |
| 115 | + and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*" |
| 116 | +| keep |
| 117 | + @timestamp, |
| 118 | + aws.cloudtrail.request_parameters, |
| 119 | + aws.cloudtrail.response_elements, |
| 120 | + aws.cloudtrail.user_identity.type, |
| 121 | + aws.cloudtrail.user_identity.arn, |
| 122 | + aws.cloudtrail.user_identity.access_key_id, |
| 123 | + cloud.account.id, |
| 124 | + event.action, |
| 125 | + source.address |
| 126 | +''' |
| 127 | + |
| 128 | + |
| 129 | +[[rule.threat]] |
| 130 | +framework = "MITRE ATT&CK" |
| 131 | +[[rule.threat.technique]] |
| 132 | +id = "T1078" |
| 133 | +name = "Valid Accounts" |
| 134 | +reference = "https://attack.mitre.org/techniques/T1078/" |
| 135 | +[[rule.threat.technique.subtechnique]] |
| 136 | +id = "T1078.004" |
| 137 | +name = "Cloud Accounts" |
| 138 | +reference = "https://attack.mitre.org/techniques/T1078/004/" |
| 139 | + |
| 140 | + |
| 141 | +[[rule.threat.technique]] |
| 142 | +id = "T1098" |
| 143 | +name = "Account Manipulation" |
| 144 | +reference = "https://attack.mitre.org/techniques/T1098/" |
| 145 | + |
| 146 | + |
| 147 | +[rule.threat.tactic] |
| 148 | +id = "TA0003" |
| 149 | +name = "Persistence" |
| 150 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
| 151 | + |
0 commit comments