{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/assumedrole/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","anomaly","assumedrole"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis detection analytic identifies anomalous cloud API calls executed by user roles that haven't previously run these commands. The analytic focuses on AWS CloudTrail logs and leverages the Splunk Change data model to identify commands executed by users with the \u003ccode\u003eAssumedRole\u003c/code\u003e user type and successful status. The initial baseline search \u003ccode\u003ePreviously Seen Cloud API Calls Per User Role - Initial\u003c/code\u003e is used to establish a baseline of user roles, commands, and their initial timestamps. A secondary baseline search \u003ccode\u003ePreviously Seen Cloud API Calls Per User Role - Update\u003c/code\u003e continuously updates the baseline data. The time window for evaluation is configurable through the \u003ccode\u003ecloud_api_calls_from_previously_unseen_user_roles_activity_window\u003c/code\u003e macro.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an AWS account or gains access to credentials with \u003ccode\u003ests:AssumeRole\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker assumes a role, typically one with broader permissions than their initially compromised account. This is logged as an \u003ccode\u003eAssumeRole\u003c/code\u003e event in CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a series of API calls using the assumed role.\u003c/li\u003e\n\u003cli\u003eThe analytic detects these API calls and compares them against a baseline of previously seen API calls for the specific user role.\u003c/li\u003e\n\u003cli\u003eIf an API call is identified as \u0026quot;new\u0026quot; (not present in the baseline or seen within the last 24 hours), the analytic triggers.\u003c/li\u003e\n\u003cli\u003eThis \u0026quot;new\u0026quot; API call could be related to reconnaissance, privilege escalation, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to unauthorized access to resources, data breaches, or other detrimental outcomes within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of new or unmonitored commands within the cloud environment could lead to unauthorized access, data breaches, or other damaging outcomes. Since the ruleset relies on AWS CloudTrail data, the scope of impact is limited to AWS environments. The potential number of affected AWS instances and services varies depending on the permissions of the compromised role and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure AWS CloudTrail logging is enabled and properly configured for all AWS accounts and regions.\u003c/li\u003e\n\u003cli\u003eImplement the baseline searches \u003ccode\u003ePreviously Seen Cloud API Calls Per User Role - Initial\u003c/code\u003e and \u003ccode\u003ePreviously Seen Cloud API Calls Per User Role - Update\u003c/code\u003e as described in the \u0026quot;How To Implement\u0026quot; section of the analytic.\u003c/li\u003e\n\u003cli\u003eDeploy the analytic \u0026quot;Cloud API Calls From Previously Unseen User Roles\u0026quot; in your Splunk environment.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003ecloud_api_calls_from_previously_unseen_user_roles_activity_window\u003c/code\u003e macro based on your environment's specific needs and acceptable thresholds.\u003c/li\u003e\n\u003cli\u003eCustomize the \u003ccode\u003ecloud_api_calls_from_previously_unseen_user_roles_filter\u003c/code\u003e macro to exclude known-good API calls and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-unseen-cloud-api/","summary":"This analytic identifies anomalous cloud API calls executed by user roles that have not previously performed those commands, potentially indicating malicious activity or unauthorized actions leading to unauthorized access or data breaches.","title":"Cloud API Calls From Previously Unseen User Roles","url":"https://feed.craftedsignal.io/briefs/2024-01-unseen-cloud-api/"}],"language":"en","title":"CraftedSignal Threat Feed - Assumedrole","version":"https://jsonfeed.org/version/1.1"}