AWS EC2 Instance Interaction with IAM Service

Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/24"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/24"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance.
11"""
12false_positives = ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."]
13from = "now-6m"
14index = ["filebeat-*", "logs-aws.cloudtrail-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "AWS EC2 Instance Interaction with IAM Service"
18references = [
19    "https://redcanary.com/blog/aws-sts/",
20]
21risk_score = 47
22rule_id = "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1"
23severity = "medium"
24tags = [
25    "Domain: Cloud",
26    "Data Source: AWS",
27    "Data Source: Amazon Web Services",
28    "Data Source: AWS EC2",
29    "Data Source: AWS IAM",
30    "Use Case: Identity and Access Audit",
31    "Tactic: Privilege Escalation",
32    "Tactic: Persistence",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where event.dataset == "aws.cloudtrail"
39   and event.provider == "iam.amazonaws.com"
40   and aws.cloudtrail.user_identity.type == "AssumedRole"
41   and stringContains (user.id, ":i-")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1098"
49name = "Account Manipulation"
50reference = "https://attack.mitre.org/techniques/T1098/"
51[[rule.threat.technique.subtechnique]]
52id = "T1098.001"
53name = "Additional Cloud Credentials"
54reference = "https://attack.mitre.org/techniques/T1098/001/"
55[[rule.threat.technique.subtechnique]]
56id = "T1098.003"
57name = "Additional Cloud Roles"
58reference = "https://attack.mitre.org/techniques/T1098/003/"
59
60[[rule.threat.technique]]
61id = "T1078"
62name = "Valid Accounts"
63reference = "https://attack.mitre.org/techniques/T1078/"
64[[rule.threat.technique.subtechnique]]
65id = "T1078.004"
66name = "Cloud Accounts"
67reference = "https://attack.mitre.org/techniques/T1078/004/"
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76
77[rule.threat.tactic]
78id = "TA0004"
79name = "Privilege Escalation"
80reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top