{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/accessdenied/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS IAM"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","iam","accessdenied","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis analytic focuses on identifying anomalous behavior within AWS environments where IAM users are generating a high number of AccessDenied errors. Specifically, it looks for a surge in these errors occurring within a one-hour window, originating from the same source IP and user identity. The underlying data source is AWS CloudTrail logs. This activity is potentially indicative of a compromised access key being leveraged to perform unauthorized discovery actions. Attackers may attempt to enumerate resources, policies, or other sensitive information within the AWS environment in order to escalate privileges or identify valuable targets for further exploitation. The detection logic aims to identify instances where the number of failures reaches a threshold that is unlikely to occur during normal operations. The Splunk AWS Add-on and Splunk App for AWS are required to ingest and parse the CloudTrail data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS IAM access key, possibly through credential theft or exposed secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised access key to make API requests to AWS services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate AWS resources, such as EC2 instances, S3 buckets, or IAM roles, without having the necessary permissions.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs record the AccessDenied errors generated by the unauthorized API requests. The errors include information about the user, source IP, attempted actions, and AWS services.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through different AWS API calls and resource types to map out the organization's cloud infrastructure and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe detection identifies IAM users generating excessive AccessDenied errors from the same source IP address within an hour.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains insights into the AWS environment, enabling them to identify misconfigurations, vulnerabilities, and potential targets for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered information to move laterally, escalate privileges, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack of this nature can result in significant data breaches, service disruptions, and financial losses. Attackers can leverage discovered vulnerabilities to compromise sensitive data stored in S3 buckets or other AWS services. Unauthorized access to IAM roles and policies could lead to privilege escalation and the ability to control critical infrastructure. The number of potential victims is vast, as many organizations rely on AWS for their cloud infrastructure. The targeted sectors are diverse, ranging from finance and healthcare to technology and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003efailures\u003c/code\u003e threshold based on your environment's baseline activity to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the root cause of the AccessDenied errors and whether the involved IAM user or access key has been compromised.\u003c/li\u003e\n\u003cli\u003eEnable and review AWS CloudTrail logs to capture all API activity within your AWS environment, as specified in the data source requirements.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eUtilize IAM roles with the principle of least privilege to minimize the impact of compromised access keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-accessdenied-discovery/","summary":"Detection of excessive AccessDenied events within an hour for AWS IAM users, indicating a potential compromised access key used for unauthorized discovery actions.","title":"AWS IAM AccessDenied Discovery Events","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-accessdenied-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Accessdenied","version":"https://jsonfeed.org/version/1.1"}