AWS Systems Manager SecureString Parameter Request with Decryption Flag

Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a NewTerms rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.9.0"
  7updated_date = "2024/06/03"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the
 13GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user
 14is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
 15`withDecryption` parameter set to true. This is a
 16[NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that
 17detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10
 18days.
 19"""
 20false_positives = [
 21    """
 22    Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or
 23    DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate
 24    reason to access the parameters and that the credentials are secured.
 25    """,
 26]
 27from = "now-9m"
 28index = ["filebeat-*", "logs-aws.cloudtrail*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
 32note = """
 33
 34## Triage and Analysis
 35
 36### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
 37
 38This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.
 39
 40Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.
 41
 42#### Possible Investigation Steps
 43
 44- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
 45- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
 46- **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
 47- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
 48- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
 49
 50### False Positive Analysis
 51
 52- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
 53
 54### Response and Remediation
 55
 56- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.
 57- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
 58- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
 59- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.
 60- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.
 61
 62### Additional Information
 63
 64This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.
 65"""
 66references = [
 67    "https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html",
 68    "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html",
 69]
 70risk_score = 47
 71rule_id = "fd332492-0bc6-11ef-b5be-f661ea17fbcc"
 72setup = "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n"
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS Systems Manager",
 79    "Tactic: Credential Access",
 80    "Resources: Investigation Guide",
 81]
 82timestamp_override = "event.ingested"
 83type = "new_terms"
 84
 85query = '''
 86event.dataset: aws.cloudtrail
 87    and event.provider: "ssm.amazonaws.com"
 88    and event.action: (GetParameters or GetParameter)
 89    and event.outcome: success
 90    and aws.cloudtrail.request_parameters: *withDecryption=true*
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1555"
 98name = "Credentials from Password Stores"
 99reference = "https://attack.mitre.org/techniques/T1555/"
100[[rule.threat.technique.subtechnique]]
101id = "T1555.006"
102name = "Cloud Secrets Management Stores"
103reference = "https://attack.mitre.org/techniques/T1555/006/"
104
105
106
107[rule.threat.tactic]
108id = "TA0006"
109name = "Credential Access"
110reference = "https://attack.mitre.org/tactics/TA0006/"
111
112[rule.new_terms]
113field = "new_terms_fields"
114value = ["aws.cloudtrail.user_identity.arn"]
115[[rule.new_terms.history_window_start]]
116field = "history_window_start"
117value = "now-10d"

Triage and Analysis

Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag

This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.

Adversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.

Possible Investigation Steps

  • Review the Access Event: Identify the specific API call (GetParameter or GetParameters) that triggered the rule. Examine the request_parameters for withDecryption set to true and the name of the accessed parameter.
  • Verify User Identity and Access Context: Check the user_identity details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
  • Contextualize with User Behavior: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
  • Analyze Geographic and IP Context: Using the source.ip and source.geo information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
  • Inspect Related CloudTrail Events: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.

False Positive Analysis

  • Legitimate Administrative Use: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.

Response and Remediation

  • Immediate Verification: Contact the user or team responsible for the API call to verify their intent and authorization.
  • Review and Revise Permissions: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.
  • Audit Parameter Access Policies: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.
  • Incident Response: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.
  • Enhanced Monitoring and Alerting: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.

Additional Information

This rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.

References

Related rules

to-top