AWS Detect Users creating keys with encrypt policy without MFA

Try in Splunk Security Cloud

Description

This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-01-11
• Author: Rod Soto, Patrick Bareiss Splunk
• ID: c79c164f-4b21-4847-98f9-cf6a9f49179e

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1486	Data Encrypted for Impact	Impact

Kill Chain Phase

• Exploitation

NIST

CIS20

CVE

Search

`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy 
| spath input=requestParameters.policy output=key_policy_statements path=Statement{} 
| mvexpand key_policy_statements 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=key_policy_action_2 path=Action{} 
| eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) 
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS 
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*" 
| stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`

Macros

The SPL above uses the following Macros:

• cloudtrail
• security_content_ctime

aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• eventName
• eventSource
• eventID
• awsRegion
• requestParameters.policy
• userIdentity.principalId

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Known False Positives

unknown

Associated Analytic Story

• Ransomware Cloud

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
• https://github.com/d1vious/git-wild-hunt
• https://www.youtube.com/watch?v=PgzNib37g0M

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json

source | version: 1