-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathaws_createaccesskey.yml
47 lines (47 loc) · 2.17 KB
/
aws_createaccesskey.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: AWS CreateAccessKey
id: 2a9b80d3-6340-4345-11ad-212bf3d0d111
version: 8
date: '2025-02-10'
author: Bhavin Patel, Splunk
status: production
type: Hunting
description: The following analytic identifies the creation of AWS IAM access keys
by a user for another user, which can indicate privilege escalation. It leverages
AWS CloudTrail logs to detect instances where the user creating the access key is
different from the user for whom the key is created. This activity is significant
because unauthorized access key creation can allow attackers to establish persistence
or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized
access to AWS services, data exfiltration, and long-term persistence in the environment.
data_source:
- AWS CloudTrail CreateAccessKey
search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: While this search has no known false positives, it is possible
that an AWS admin has legitimately created keys for another user.
references:
- https://bishopfox.com/blog/privilege-escalation-in-aws
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
mitre_attack_id:
- T1136.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail