Name:ASL AWS Detect Users creating keys with encrypt policy without MFA id:16ae9076-d1d5-411c-8fdd-457504b33dac version:1 date:2024-12-16 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. Data_source:
-ASL AWS CloudTrail
search:`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey | spath input=api.request.data path=policy output=policy | spath input=policy | rename Statement{}.Action as Action, Statement{}.Principal as Principal | eval Statement=mvzip(Action,Principal,"|") | mvexpand Statement | eval action=mvindex(split(Statement, "|"), 0) | eval principal=mvindex(split(Statement, "|"), 1) | search action=kms* | regex principal="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
how_to_implement:The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives:unknown References: -https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ -https://github.com/d1vious/git-wild-hunt -https://www.youtube.com/watch?v=PgzNib37g0M drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Ransomware Cloud' asset_type:AWS Account confidence:50 impact:50 message:AWS account is potentially compromised and user $user$ is trying to compromise other accounts. mitre_attack_id: - 'T1486' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'api.operation' - 'actor.user.uid' - 'actor.user.account.uid' - 'api.request.data' - 'http_request.user_agent' - 'src_endpoint.ip' - 'src_endpoint.domain' - 'cloud.region' risk_score:25 security_domain:threat
