{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/secrets-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Secrets Manager"],"_cs_severities":["medium"],"_cs_tags":["aws","credential-access","secrets-manager"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies rapid secret retrieval activity from AWS Secrets Manager, specifically when a single user identity retrieves 20 or more unique secrets within a short timeframe using the \u003ccode\u003eGetSecretValue\u003c/code\u003e API. This behavior is indicative of potential credential compromise, where an adversary may attempt to enumerate and exfiltrate secrets in bulk to escalate privileges, move laterally, or establish persistence. While legitimate application initialization or CI/CD pipelines may involve retrieving multiple secrets, such activity typically originates from known service roles, expected source IP ranges, or specific application identities. This detection helps security teams identify and respond to potential unauthorized access to sensitive credentials stored in AWS Secrets Manager.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary compromises AWS credentials, such as an IAM user, instance role, or temporary credentials.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the compromised credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the \u003ccode\u003eGetSecretValue\u003c/code\u003e API of AWS Secrets Manager to request multiple secrets.\u003c/li\u003e\n\u003cli\u003eThe adversary iterates through different \u003ccode\u003eSecretId\u003c/code\u003e values within the API requests to retrieve unique secrets.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs each successful \u003ccode\u003eGetSecretValue\u003c/code\u003e API call, recording the user identity, source IP, and requested \u003ccode\u003eSecretId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies user identities that retrieve 20 or more unique secrets within the defined time window (6 minutes).\u003c/li\u003e\n\u003cli\u003eThe adversary gains access to sensitive information, such as database passwords, API keys, or OAuth tokens.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the retrieved secrets to escalate privileges, move laterally, or establish persistence within the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data stored within AWS Secrets Manager, including database passwords, API keys, and other credentials. This may enable attackers to compromise other systems and resources within the AWS environment, leading to data breaches, service disruptions, or other security incidents. If successful, an attacker can move laterally within the cloud infrastructure and gain a foothold to further compromise cloud assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to your SIEM to detect rapid secret retrieval attempts from AWS Secrets Manager and tune the threshold for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any alerts generated by the Sigma rule, focusing on identifying the source of the activity and the secrets that were accessed.\u003c/li\u003e\n\u003cli\u003eRestrict permissions to Secrets Manager following the principle of least privilege to minimize the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eRotate all accessed secrets and update dependent systems if unauthorized access is confirmed.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for any suspicious follow-on activity using the retrieved secrets.\u003c/li\u003e\n\u003cli\u003eImplement exceptions based on known service roles, expected source IP ranges, or specific application identities tied to secret orchestration to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-18T12:00:00Z","date_published":"2024-10-18T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-10-aws-secrets-rapid-retrieval/","summary":"Compromised AWS credentials may be used to rapidly retrieve multiple secrets from AWS Secrets Manager in order to escalate privileges or move laterally within the environment.","title":"AWS Secrets Manager Rapid Secrets Retrieval Attempts","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-secrets-rapid-retrieval/"}],"language":"en","title":"CraftedSignal Threat Feed - Secrets-Manager","version":"https://jsonfeed.org/version/1.1"}