-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] AWS EC2 Instance Console Login via Assumed Role #3922
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
and event.action in ("ConsoleLogin", "GetSigninToken") | ||
and event.outcome == "success" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No specific event.provider
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add it
Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful `ConsoleLogin` or `GetSigninToken` API call. | ||
""" | ||
false_positives = ["This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary."] | ||
from = "now-6m" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any specific reason for 6m lookback window?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I left the from
as default 5 min, this just provides an extra minute detection overlap
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice addition!
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
* [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]> (cherry picked from commit 1b58d06)
) * [New Rule] AWS EC2 Instance Console Login via Assumed Role * added reference for custom url creation * added STS tag * added event.provider to query --------- Co-authored-by: Terrance DeJesus <99630311 [email protected]>
Issue link(s):
Summary - What I changed
Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful
ConsoleLogin
orGetSigninToken
API call.--
I chose to use the
user.id
field over theaws.cloudtrail.user_identity.arn
because this field is able to be ingested via telemtry as PII has been stripped but the session name necessary to identify the identity as an EC2 instance is still includedChecklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generated