SigmaHQ/rules/cloud/aws_iam_backdoor_users_keys.yml

title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: experimental
author: faloker
date: 2020/02/12
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
logsource:
    service: cloudtrail
detection:
    selection_source:
        - eventSource: iam.amazonaws.com
    selection_eventname:
        - eventName: CreateAccessKey
    filter:
        userIdentity.arn|contains: responseElements.accessKey.userName
    condition: all of selection* and not filter
fields:
    - userIdentity.arn
    - responseElements.accessKey.userName
    - errorCode
    - errorMessage
level: medium
falsepositives:
    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
    - AWS API keys legitimate exchange workflows
tags:
    - attack.t1098
Update rules titles 2020-02-12 21:09:16 +00:00			`title: AWS IAM Backdoor Users Keys`
Add the rule to detect backdooring of users keys 2020-02-12 20:22:38 +00:00			`id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2`
			`status: experimental`
			`author: faloker`
			`date: 2020/02/12`
			`description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.`
			`references:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6`
Add the rule to detect backdooring of users keys 2020-02-12 20:22:38 +00:00			`logsource:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`service: cloudtrail`
Add the rule to detect backdooring of users keys 2020-02-12 20:22:38 +00:00			`detection:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`selection_source:`
			`- eventSource: iam.amazonaws.com`
			`selection_eventname:`
			`- eventName: CreateAccessKey`
			`filter:`
			`userIdentity.arn\|contains: responseElements.accessKey.userName`
			`condition: all of selection* and not filter`
Add the rule to detect backdooring of users keys 2020-02-12 20:22:38 +00:00			`fields:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`- userIdentity.arn`
			`- responseElements.accessKey.userName`
			`- errorCode`
			`- errorMessage`
			`level: medium`
Add the rule to detect backdooring of users keys 2020-02-12 20:22:38 +00:00			`falsepositives:`
			`- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)`
			`- AWS API keys legitimate exchange workflows`
			`tags:`
Correct the indentation 2020-02-12 20:48:46 +00:00			`- attack.t1098`