<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Accessdenied - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/accessdenied/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/accessdenied/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM AccessDenied Discovery Events</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-accessdenied-discovery/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-accessdenied-discovery/</guid><description>Detection of excessive AccessDenied events within an hour for AWS IAM users, indicating a potential compromised access key used for unauthorized discovery actions.</description><content:encoded><![CDATA[<p>This analytic focuses on identifying anomalous behavior within AWS environments where IAM users are generating a high number of AccessDenied errors. Specifically, it looks for a surge in these errors occurring within a one-hour window, originating from the same source IP and user identity. The underlying data source is AWS CloudTrail logs. This activity is potentially indicative of a compromised access key being leveraged to perform unauthorized discovery actions. Attackers may attempt to enumerate resources, policies, or other sensitive information within the AWS environment in order to escalate privileges or identify valuable targets for further exploitation. The detection logic aims to identify instances where the number of failures reaches a threshold that is unlikely to occur during normal operations. The Splunk AWS Add-on and Splunk App for AWS are required to ingest and parse the CloudTrail data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS IAM access key, possibly through credential theft or exposed secrets.</li>
<li>The attacker uses the compromised access key to make API requests to AWS services.</li>
<li>The attacker attempts to enumerate AWS resources, such as EC2 instances, S3 buckets, or IAM roles, without having the necessary permissions.</li>
<li>AWS CloudTrail logs record the AccessDenied errors generated by the unauthorized API requests. The errors include information about the user, source IP, attempted actions, and AWS services.</li>
<li>The attacker iterates through different AWS API calls and resource types to map out the organization's cloud infrastructure and identify potential targets.</li>
<li>The detection identifies IAM users generating excessive AccessDenied errors from the same source IP address within an hour.</li>
<li>If successful, the attacker gains insights into the AWS environment, enabling them to identify misconfigurations, vulnerabilities, and potential targets for further exploitation.</li>
<li>The attacker uses gathered information to move laterally, escalate privileges, or exfiltrate data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack of this nature can result in significant data breaches, service disruptions, and financial losses. Attackers can leverage discovered vulnerabilities to compromise sensitive data stored in S3 buckets or other AWS services. Unauthorized access to IAM roles and policies could lead to privilege escalation and the ability to control critical infrastructure. The number of potential victims is vast, as many organizations rely on AWS for their cloud infrastructure. The targeted sectors are diverse, ranging from finance and healthcare to technology and government.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune the <code>failures</code> threshold based on your environment's baseline activity to minimize false positives.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on identifying the root cause of the AccessDenied errors and whether the involved IAM user or access key has been compromised.</li>
<li>Enable and review AWS CloudTrail logs to capture all API activity within your AWS environment, as specified in the data source requirements.</li>
<li>Implement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.</li>
<li>Utilize IAM roles with the principle of least privilege to minimize the impact of compromised access keys.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>iam</category><category>accessdenied</category><category>discovery</category></item></channel></rss>