[Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole (#4228)

* tuning 'AWS STS Temporary Credentials via AssumeRole'

* linted; adjusted OR in quer

* added investigation guide

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

Co-authored-by: Ruben Groenewoud <[email protected]>

* added new rule 'AWS STS Role Assumption by User'

* adjusted UUID

* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Isai <[email protected]>

(cherry picked from commit ef6344f)

Author: terrancedejesus

rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

@@ -0,0 +1,144 @@
+[metadata]
+creation_date = "2021/05/17"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/11/05"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain
+temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
+escalation. This is a [New
+Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies
+when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS
+resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or
+lateral movement within an AWS environment.
+"""
+false_positives = [
+    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.",
+    "AWS services might assume roles to access AWS resources as part of their standard operations.",
+    "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.",
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS Role Assumption by Service"
+note = """## Triage and Analysis
+
+### Investigating AWS STS Role Assumption by Service
+
+This rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
+
+#### Possible Investigation Steps
+
+- **Identify the Actor and Assumed Role**:
+  - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.
+  - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.
+  - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.
+
+- **Analyze the Role Session and Duration**:
+  - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.
+  - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.
+  - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.
+
+- **Inspect the User Agent for Tooling Identification**:
+  - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:
+    - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.
+    - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.
+    - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.
+  - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.
+
+- **Contextualize with Related Events**:
+  - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.
+  - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.
+
+- **Evaluate the Privilege Level of the Assumed Role**:
+  - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.
+  - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.
+
+### False Positive Analysis
+
+- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.
+- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.
+
+### Response and Remediation
+
+- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.
+- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.
+- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.
+- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.
+
+### Additional Information
+
+For more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.
+"""
+references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
+risk_score = 21
+rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS STS",
+    "Resources: Investigation Guide",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Privilege Escalation",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "sts.amazonaws.com"
+    and event.action: "AssumeRole"
+    and event.outcome: "success"
+    and aws.cloudtrail.user_identity.type: "AWSService"
+    and not aws.cloudtrail.user_identity.invoked_by: (
+              "config.amazonaws.com" or
+              "securityhub.amazonaws.com" or
+              "sso.amazonaws.com"
+            )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["aws.cloudtrail.resources.arn", "aws.cloudtrail.user_identity.invoked_by"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+

rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml

@@ -0,0 +1,135 @@
+[metadata]
+creation_date = "2024/11/05"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/11/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain
+temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
+escalation. This is a [New
+Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies
+when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS
+resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or
+lateral movement within an AWS environment.
+"""
+false_positives = [
+    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.",
+    "Applications integrated with AWS might assume roles to access AWS resources.",
+    "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.",
+]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS Role Assumption by User"
+note = """## Triage and Analysis
+
+### Investigating AWS STS Role Assumption by User
+
+This rule detects when a user assumes a role in AWS Security Token Service (STS), receiving temporary credentials to access AWS resources. While often used for legitimate purposes, this action can be leveraged by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
+
+#### Possible Investigation Steps
+
+- **Identify the User and Assumed Role**:
+  - **User Identity**: Check `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` for details about the initiator of the `AssumeRole` action.
+  - **Role Assumed**: Review `aws.cloudtrail.flattened.request_parameters.roleArn` to confirm the role assumed and ensure it aligns with the user’s standard permissions.
+  - **Session Name**: Note `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the purpose of the session.
+
+- **Evaluate Session Context and Credential Duration**:
+  - **Session Details**: Look into `aws.cloudtrail.user_identity.session_context.creation_date` for the start of the session and `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to check for MFA usage.
+  - **Credential Validity**: Examine `aws.cloudtrail.flattened.request_parameters.durationSeconds` for how long the credentials are valid.
+  - **Expiration Time**: Use `aws.cloudtrail.flattened.response_elements.credentials.expiration` to confirm the credential expiration.
+
+- **Inspect User Agent and Source Information**:
+  - **User Agent**: Analyze the `user_agent.original` field to identify if specific tooling or SDKs like AWS CLI, Boto3, or custom agents were used.
+  - **Source IP and Geolocation**: Examine `source.address` and `source.geo` fields to determine the origin of the request, confirming if it aligns with expected locations.
+
+- **Correlate with Related Events**:
+  - **Identify Patterns**: Review related CloudTrail events for unusual access patterns, such as resource access or sensitive actions following this `AssumeRole` action.
+  - **Filter High-Volume Roles**: If this role or user has a high volume of access, evaluate `roleArn` or `user_agent` values for common patterns and add trusted entities as exceptions.
+
+- **Review the Privileges of the Assumed Role**:
+  - **Permissions**: Examine permissions associated with the `roleArn` to assess its access scope.
+  - **Authorized Usage**: Confirm if the role is used frequently for administrative purposes and if this aligns with the user’s regular responsibilities.
+
+### False Positive Analysis
+
+- **Automated Processes and Applications**: Applications or scheduled tasks may assume roles regularly for operational purposes. Validate the consistency of the `user_agent` or `roleArn` with known automated workflows.
+- **Standard IAM Policy Usage**: Confirm if the user or application routinely assumes this specific role for normal operations by reviewing historical activity.
+
+### Response and Remediation
+
+- **Terminate Unauthorized Sessions**: If the role assumption is deemed unauthorized, revoke the session by modifying IAM policies or the permissions associated with the assumed role.
+- **Strengthen Monitoring and Alerts**: Implement additional monitoring for specific high-risk roles, especially those with elevated permissions.
+- **Regularly Manage Exceptions**: Regularly review high-volume roles and user agent patterns to refine alerts, minimizing noise by adding trusted patterns as exceptions.
+- **Incident Response**: If confirmed as malicious, follow incident response protocols for containment, investigation, and remediation.
+
+### Additional Information
+
+For more details on managing and securing AWS STS in your environment, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
+"""
+references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
+risk_score = 21
+rule_id = "288a198e-9b9b-11ef-a0a8-f661ea17fbcd"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS STS",
+    "Resources: Investigation Guide",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Privilege Escalation",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "sts.amazonaws.com"
+    and event.action: "AssumeRole"
+    and event.outcome: "success"
+    and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "aws.cloudtrail.flattened.request_parameters.roleArn"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+