AWS CLI Command with Custom Endpoint URL

 1[metadata]
 2creation_date = "2024/08/21"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
11"""
12from = "now-9m"
13index = ["logs-endpoint.events.process-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "AWS CLI Command with Custom Endpoint URL"
17references = [
18    "https://sysdig.com/blog/scarleteel-2-0/"
19]
20risk_score = 47
21rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce"
22severity = "medium"
23tags = [
24    "Data Source: Elastic Defend",
25    "Domain: Endpoint",
26    "OS: Linux",
27    "Use Case: Threat Detection",
28    "Tactic: Command and Control",
29]
30type = "new_terms"
31timestamp_override = "event.ingested"
32query = '''
33host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1102"
41name = "Web Service"
42reference = "https://attack.mitre.org/techniques/T1102/"
43
44
45[rule.threat.tactic]
46id = "TA0011"
47name = "Command and Control"
48reference = "https://attack.mitre.org/tactics/TA0011/"
49
50
51[rule.new_terms]
52field = "new_terms_fields"
53value = ["user.name"]
54[[rule.new_terms.history_window_start]]
55field = "history_window_start"
56value = "now-10d"