| ID | Technique | Tactic |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
Detection: ASL AWS Detect Users creating keys with encrypt policy without MFA
Description
The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify CreateKey or PutKeyPolicy events where the kms:Encrypt action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Search
1`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey
2| spath input=api.request.data path=policy output=policy
3| spath input=policy
4| rename Statement{}.Action as Action, Statement{}.Principal as Principal
5| eval Statement=mvzip(Action,Principal,"
6|")
7| mvexpand Statement
8| eval action=mvindex(split(Statement, "
9|"), 0)
10| eval principal=mvindex(split(Statement, "
11|"), 1)
12| search action=kms*
13| regex principal="\*"
14| fillnull
15| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data
16| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent
17| `security_content_ctime(firstTime)`
18| `security_content_ctime(lastTime)`
19|`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| ASL AWS CloudTrail |  AWS |
'aws:asl' |
'aws_asl' |
Macros Used
| Name | Value |
|---|---|
| amazon_security_lake | sourcetype=aws:asl |
| asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter | search * |
asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
DE.CM
CIS 10
APT38
APT41
Akira
FIN7
FIN8
INC Ransom
Indrik Spider
Magic Hound
Moonstone Sleet
Sandworm Team
Scattered Spider
TA505
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
Known False Positives
unknown
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
AWS account is potentially compromised and user $user$ is trying to compromise other accounts
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 25 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | aws_asl |
aws:asl |
| Integration | ✅ Passing | Dataset | aws_asl |
aws:asl |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1