<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Assumedrole - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/assumedrole/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/assumedrole/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cloud API Calls From Previously Unseen User Roles</title><link>https://feed.craftedsignal.io/briefs/2024-01-unseen-cloud-api/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-unseen-cloud-api/</guid><description>This analytic identifies anomalous cloud API calls executed by user roles that have not previously performed those commands, potentially indicating malicious activity or unauthorized actions leading to unauthorized access or data breaches.</description><content:encoded><![CDATA[<p>This detection analytic identifies anomalous cloud API calls executed by user roles that haven't previously run these commands. The analytic focuses on AWS CloudTrail logs and leverages the Splunk Change data model to identify commands executed by users with the <code>AssumedRole</code> user type and successful status. The initial baseline search <code>Previously Seen Cloud API Calls Per User Role - Initial</code> is used to establish a baseline of user roles, commands, and their initial timestamps. A secondary baseline search <code>Previously Seen Cloud API Calls Per User Role - Update</code> continuously updates the baseline data. The time window for evaluation is configurable through the <code>cloud_api_calls_from_previously_unseen_user_roles_activity_window</code> macro.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an AWS account or gains access to credentials with <code>sts:AssumeRole</code> permissions.</li>
<li>The attacker assumes a role, typically one with broader permissions than their initially compromised account. This is logged as an <code>AssumeRole</code> event in CloudTrail.</li>
<li>The attacker executes a series of API calls using the assumed role.</li>
<li>The analytic detects these API calls and compares them against a baseline of previously seen API calls for the specific user role.</li>
<li>If an API call is identified as &quot;new&quot; (not present in the baseline or seen within the last 24 hours), the analytic triggers.</li>
<li>This &quot;new&quot; API call could be related to reconnaissance, privilege escalation, data exfiltration, or other malicious activities.</li>
<li>Successful exploitation can lead to unauthorized access to resources, data breaches, or other detrimental outcomes within the cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of new or unmonitored commands within the cloud environment could lead to unauthorized access, data breaches, or other damaging outcomes. Since the ruleset relies on AWS CloudTrail data, the scope of impact is limited to AWS environments. The potential number of affected AWS instances and services varies depending on the permissions of the compromised role and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure AWS CloudTrail logging is enabled and properly configured for all AWS accounts and regions.</li>
<li>Implement the baseline searches <code>Previously Seen Cloud API Calls Per User Role - Initial</code> and <code>Previously Seen Cloud API Calls Per User Role - Update</code> as described in the &quot;How To Implement&quot; section of the analytic.</li>
<li>Deploy the analytic &quot;Cloud API Calls From Previously Unseen User Roles&quot; in your Splunk environment.</li>
<li>Tune the <code>cloud_api_calls_from_previously_unseen_user_roles_activity_window</code> macro based on your environment's specific needs and acceptable thresholds.</li>
<li>Customize the <code>cloud_api_calls_from_previously_unseen_user_roles_filter</code> macro to exclude known-good API calls and reduce false positives.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>anomaly</category><category>assumedrole</category></item></channel></rss>