|
| 1 | +[metadata] |
| 2 | +creation_date = "2024/11/01" |
| 3 | +integration = ["aws"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" |
| 6 | +min_stack_version = "8.6.0" |
| 7 | +updated_date = "2024/11/01" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more. |
| 13 | +""" |
| 14 | +false_positives = [ |
| 15 | + """ |
| 16 | + Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action. |
| 17 | + """, |
| 18 | +] |
| 19 | +from = "now-9m" |
| 20 | +index = ["filebeat-*", "logs-aws.cloudtrail-*"] |
| 21 | +language = "kuery" |
| 22 | +license = "Elastic License v2" |
| 23 | +name = "AWS SSM Command Document Created by Rare User" |
| 24 | +references = [ |
| 25 | + "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateDocument.html" |
| 26 | +] |
| 27 | +risk_score = 21 |
| 28 | +rule_id = "50a2bdea-9876-11ef-89db-f661ea17fbcd" |
| 29 | +severity = "low" |
| 30 | +tags = [ |
| 31 | + "Domain: Cloud", |
| 32 | + "Data Source: AWS", |
| 33 | + "Data Source: Amazon Web Services", |
| 34 | + "Data Source: AWS SNS", |
| 35 | + "Data Source: AWS Systems Manager", |
| 36 | + "Use Case: Threat Detection", |
| 37 | + "Tactic: Execution" |
| 38 | +] |
| 39 | +timestamp_override = "event.ingested" |
| 40 | +type = "new_terms" |
| 41 | + |
| 42 | +query = ''' |
| 43 | +event.dataset: "aws.cloudtrail" |
| 44 | + and event.provider: "ssm.amazonaws.com" |
| 45 | + and event.action: "CreateDocument" |
| 46 | + and event.outcome: "success" |
| 47 | + and aws.cloudtrail.response_elements: *documentType=Command* |
| 48 | +''' |
| 49 | + |
| 50 | +[[rule.threat]] |
| 51 | +framework = "MITRE ATT&CK" |
| 52 | + |
| 53 | +[rule.threat.tactic] |
| 54 | +id = "TA0002" |
| 55 | +name = "Execution" |
| 56 | +reference = "https://attack.mitre.org/tactics/TA0002/" |
| 57 | + |
| 58 | +[rule.new_terms] |
| 59 | +field = "new_terms_fields" |
| 60 | +value = ["aws.cloudtrail.user_identity.arn"] |
| 61 | +[[rule.new_terms.history_window_start]] |
| 62 | +field = "history_window_start" |
| 63 | +value = "now-14d" |
0 commit comments