AWS Secrets Manager Rapid Secrets Retrieval

  1[metadata]
  2creation_date = "2024/04/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies rapid secret retrieval activity from AWS Secrets Manager using the GetSecretValue or BatchGetSecretValue API
 11actions. Adversaries who compromise an IAM user, instance role, or temporary credentials may attempt to enumerate or
 12exfiltrate secrets in bulk to escalate privileges, move laterally, or gain persistence. This rule detects 20 or more
 13unique secret retrievals by the same user identity within a short time window, which may indicate credential compromise
 14or automated secret harvesting.
 15"""
 16false_positives = [
 17    """
 18    Verify whether the user identity, user agent, and/or hostname should be using GetSecretValue or BatchGetSecretValue
 19    APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Secrets Manager Rapid Secrets Retrieval"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 31> While every effort has been made to ensure its quality, validate and adapt it for your operational needs.
 32
 33### Investigating AWS Secrets Manager Rapid Secrets Retrieval
 34
 35AWS Secrets Manager stores sensitive credentials such as database passwords, API keys, OAuth tokens, and service 
 36configuration values. In credential compromise scenarios, attackers frequently attempt to retrieve as many secrets as 
 37possible in a short timeframe to escalate privileges or move laterally across the environment.
 38
 39This threshold rule triggers when a single user identity successfully retrieves 20 or more unique secrets using 
 40`GetSecretValue` or `BatchGetSecretValue` within a short timespan. Retrieval of many different secrets in rapid succession is highly unusual and strongly associated with reconnaissance, secret harvesting, or compromised automation.
 41
 42Note: `BatchGetSecretValue` API calls the `GetSecretValue` API for each secret value; this alert only captures the `GetSecretValue` calls rather than the `BatchGetSecretValue` call itself.
 43
 44#### Possible investigation steps
 45
 46- **Identify the user or role**
 47  - Review `aws.cloudtrail.user_identity.arn`, `user.name`, and `aws.cloudtrail.user_identity.type`.
 48  - Determine whether the identity normally accesses Secrets Manager or is tied to a known automation workload.
 49
 50- **Analyze the set of secrets retrieved**
 51  - Expand the alert in Timeline and review `aws.cloudtrail.request_parameters` for all `SecretId` values in the grouped threshold event.
 52  - Identify whether the accessed secrets include:
 53    - Privileged database credentials  
 54    - IAM user or service account credentials  
 55    - Production application secrets  
 56    - Rarely accessed or high-sensitivity secrets  
 57
 58- **Assess the runtime context**
 59  - Investigate `source.ip`, `source.geo.location`, and `user_agent.original`.
 60  - Validate whether the calls originated from known internal automation (e.g., ECS task, Lambda runtime, EC2 instance profile) 
 61    or from an unexpected IP or user agent.
 62
 63- **Correlate with other activity from the same identity**
 64  - Look for related reconnaissance or credential-access events:
 65    - `ListSecrets`, `DescribeSecret`
 66    - IAM enumeration (`ListUsers`, `GetCallerIdentity`)
 67    - Role-chaining or unusual `AssumeRole` flows  
 68  - Check for subsequent use of exposed credentials (RDS login attempts, API activity, abnormal resource access).
 69
 70- **Determine whether unusual automation or deployment activity is occurring**
 71  - Confirm with application owners whether a new deployment, config reload, or migration might explain the multi-secret access.
 72
 73### False positive analysis
 74
 75- Legitimate application initialization or rollouts may retrieve many secrets once on startup.
 76- CI/CD pipelines or configuration management tools may enumerate secrets as part of environment bootstrapping.
 77
 78To reduce noise, consider exceptions based on:
 79- Known service roles  
 80- Expected source IP ranges  
 81- Specific application identities tied to secret orchestration  
 82
 83### Response and remediation
 84
 85- **Containment**
 86  - Immediately revoke or disable the IAM user, role session, or instance profile if compromise is suspected.
 87  - Quarantine EC2/ECS/Lambda resources originating suspicious calls.
 88
 89- **Investigation**
 90  - Identify all secrets accessed in the grouped alert and determine where those credentials are used.
 91  - Review CloudTrail for any suspicious follow-on activity using the retrieved secrets.
 92  - Assess whether additional identities or workloads show similar enumeration behavior.
 93
 94- **Recovery and hardening**
 95  - Rotate all accessed secrets and update dependent systems.
 96  - Rotate IAM access keys or temporary credentials for the impacted identity.
 97  - Restrict permissions to Secrets Manager following least privilege.
 98  - Review automation and application behavior to ensure secrets are accessed only when required.
 99"""
100references = [
101    "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
102    "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/",
103    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum",
104]
105risk_score = 47
106rule_id = "185c782e-f86a-11ee-9d9f-f661ea17fbce"
107severity = "medium"
108tags = [
109    "Domain: Cloud",
110    "Data Source: AWS",
111    "Data Source: Amazon Web Services",
112    "Data Source: AWS Secrets Manager",
113    "Tactic: Credential Access",
114    "Resources: Investigation Guide",
115]
116timestamp_override = "event.ingested"
117type = "threshold"
118
119query = '''
120event.dataset: "aws.cloudtrail" 
121    and event.provider: "secretsmanager.amazonaws.com" 
122    and event.action: "GetSecretValue" 
123    and event.outcome: "success" 
124    and not (
125        user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera") 
126        or source.address: ("kafka.amazonaws.com" or "apidestinations.events.amazonaws.com")
127    )
128'''
129
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133[[rule.threat.technique]]
134id = "T1555"
135name = "Credentials from Password Stores"
136reference = "https://attack.mitre.org/techniques/T1555/"
137[[rule.threat.technique.subtechnique]]
138id = "T1555.006"
139name = "Cloud Secrets Management Stores"
140reference = "https://attack.mitre.org/techniques/T1555/006/"
141
142
143
144[rule.threat.tactic]
145id = "TA0006"
146name = "Credential Access"
147reference = "https://attack.mitre.org/tactics/TA0006/"
148
149[rule.threshold]
150field = ["user.id"]
151value = 1
152[[rule.threshold.cardinality]]
153field = "aws.cloudtrail.request_parameters"
154value = 20