Try in Splunk Security Cloud

Description

This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-07-19
  • Author: Bhavin Patel, Splunk
  • ID: 2a9b80d3-6340-4345-11ad-212bf444d111

ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence
T1136 Create Account Persistence
`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

Associated Analytic Story

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName

Kill Chain Phase

  • Actions on Objectives

Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.

RBA

Risk Score Impact Confidence Message
72.0 90 80 User $user_arn$ is attempting to create a login profile for $requestParameters.userName$ and did a console login from this IP $src_ip$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2