AWS Detect Users creating keys with encrypt policy without MFA

Original Source: [splunk source]
Name:AWS Detect Users creating keys with encrypt policy without MFA
id:c79c164f-4b21-4847-98f9-cf6a9f49179e
version:3
date:2024-09-30
author:Rod Soto, Patrick Bareiss Splunk
status:production
type:TTP
Description:The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Data_source:
  • -AWS CloudTrail CreateKey
  • -AWS CloudTrail PutKeyPolicy
search:`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy
| spath input=requestParameters.policy output=key_policy_statements path=Statement{}
| mvexpand key_policy_statements
| spath input=key_policy_statements output=key_policy_action_1 path=Action
| spath input=key_policy_statements output=key_policy_action_2 path=Action{}
| eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2)
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*"
| stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId user
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`


how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs
known_false_positives:unknown
References:
  -https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
  -https://github.com/d1vious/git-wild-hunt
  -https://www.youtube.com/watch?v=PgzNib37g0M
drilldown_searches:
name:'View the detection results for - "$user$"'
search:'%original_detection_search% | search user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Ransomware Cloud'
  asset_type:AWS Account
  confidence:50
  impact:50
  message:AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
  mitre_attack_id:
    - 'T1486'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'eventName'
    - 'eventSource'
    - 'eventID'
    - 'awsRegion'
    - 'requestParameters.policy'
    - 'userIdentity.principalId'
  risk_score:25
  security_domain:threat

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
  update_timestamp: True
manual_test:None

Related Analytic Stories


Ransomware Cloud