From 215d5a0861fed45224bbabc802ca9e214e6e207a Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 5 Jul 2024 12:25:55 -0400 Subject: [PATCH] [New Rule] AWS S3 Object Encryption Using External KMS Key (#3861) * [New Rule] AWS S3 Object Encryption Using External KMS Key Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. * Update impact_s3_object_encryption_with_external_key.toml * Update impact_s3_object_encryption_with_external_key.toml * missing coma after tag * missing backslash on technique reference --- ...3_object_encryption_with_external_key.toml | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml new file mode 100644 index 00000000000..501a306fcc6 --- /dev/null +++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml @@ -0,0 +1,113 @@ +[metadata] +creation_date = "2024/07/02" +integration = ["aws"] +maturity = "production" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13" +min_stack_version = "8.13.0" +updated_date = "2024/07/02" + +[rule] +author = ["Elastic"] +description = """ +Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. +""" +false_positives = [ + """ + Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action. + """, +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "AWS S3 Object Encryption Using External KMS Key" +note = """ + +## Triage and Analysis + +### Investigating AWS S3 Object Encryption Using External KMS Key + +This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data. +This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption. + +#### Possible Investigation Steps: + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions. +- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets. + +### False Positive Analysis: + +- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + +### Response and Remediation: + +- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware. +- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + +### Additional Information: + +For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection: +- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf) +- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/) +""" +references = [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/", + "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/", + "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/", + "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", +] +risk_score = 47 +rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9" +setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration." +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS S3", + "Data Source: AWS KMS", + "Use Case: Threat Detection", + "Tactic: Impact", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* + +// any successful copy event +| where event.dataset == "aws.cloudtrail" + and event.provider == "s3.amazonaws.com" + and event.action == "CopyObject" + and event.outcome == "success" + +// abstract key account id, key id, encrypted object bucket name and object name +| dissect aws.cloudtrail.request_parameters "{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}" + +// filter for s3 objects whose account id is different from the encryption key's account id +// add exceptions based on key.account.id or keyId for known external accounts or encryption keys +| where cloud.account.id != key.account.id +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +