AWS EC2 Admin Credential Fetch via Assumed Role

  1[metadata]
  2creation_date = "2024/04/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2
 11instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2
 12instances.
 13"""
 14from = "now-9m"
 15index = ["filebeat-*", "logs-aws.cloudtrail*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "AWS EC2 Admin Credential Fetch via Assumed Role"
 19note = """
 20## Triage and Analysis
 21
 22### Investigating AWS EC2 Admin Credential Fetch via Assumed Role
 23
 24This rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances.
 25
 26This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.
 27
 28#### Possible Investigation Steps
 29
 30- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user.
 31- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password.
 32- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident.
 33- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance.
 34- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata.
 35- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS.
 36- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity.
 37
 38### False Positive Analysis
 39
 40- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates.
 41- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes.
 42
 43### Response and Remediation
 44
 45- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions.
 46- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials.
 47- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse.
 48- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances.
 49- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems.
 50- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`.
 51
 52### Additional Information
 53
 54Refer to resources like [AWS privilege escalation methods](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) and the MITRE ATT&CK technique [T1552.005 - Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005/) for more details on potential vulnerabilities and mitigation strategies.
 55
 56"""
 57references = [
 58    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc",
 59]
 60risk_score = 47
 61rule_id = "8446517c-f789-11ee-8ad0-f661ea17fbce"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Data Source: AWS",
 66    "Data Source: Amazon Web Services",
 67    "Data Source: Amazon EC2",
 68    "Use Case: Identity and Access Audit",
 69    "Resources: Investigation Guide",
 70    "Tactic: Credential Access",
 71]
 72timestamp_override = "event.ingested"
 73type = "new_terms"
 74
 75query = '''
 76event.dataset:"aws.cloudtrail"
 77    and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData"
 78    and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation"
 79'''
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1552"
 86name = "Unsecured Credentials"
 87reference = "https://attack.mitre.org/techniques/T1552/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1552.005"
 90name = "Cloud Instance Metadata API"
 91reference = "https://attack.mitre.org/techniques/T1552/005/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0006"
 97name = "Credential Access"
 98reference = "https://attack.mitre.org/tactics/TA0006/"
 99
100[rule.new_terms]
101field = "new_terms_fields"
102value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"]
103[[rule.new_terms.history_window_start]]
104field = "history_window_start"
105value = "now-7d"