-
Notifications
You must be signed in to change notification settings - Fork 512
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded (#3634)
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded' * changed tactic to privilege escalation * added additional reference * added investigation guide * updated summary * changed risk score to medium; adjusted tags * fixed mitre mapping * Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
- Loading branch information
1 parent
05ac4e1
commit 9f67585
Showing
1 changed file
with
106 additions
and
0 deletions.
There are no files selected for viewing
106 changes: 106 additions & 0 deletions
106
...s/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| [metadata] | ||
| creation_date = "2024/04/30" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" | ||
| min_stack_version = "8.9.0" | ||
| updated_date = "2024/06/03" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This | ||
| action could indicate an adversary attempting to maintain access to the instance. The rule also detects the | ||
| `SendSerialConsoleSSHPublicKey` API action, which could be used for privilege escalation if the serial console is | ||
| enabled. Monitoring these activities helps ensure unauthorized access attempts are detected and mitigated promptly. | ||
| """ | ||
| false_positives = ["Administrators may upload SSH public keys to EC2 instances for legitimate purposes."] | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-aws.cloudtrail-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "AWS EC2 Instance Connect SSH Public Key Uploaded" | ||
| note = """ | ||
| ## Triage and Analysis | ||
| ### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded | ||
| This rule detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Adversaries may upload SSH public keys to EC2 instances to maintain access to the instance. The rule also covers cases where the `SendSerialConsoleSSHPublicKey` API action is used to upload an SSH public key to a serial connection, which can be exploited for privilege escalation. | ||
| #### Possible Investigation Steps: | ||
| - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. | ||
| - **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. | ||
| - **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. | ||
| - **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. | ||
| - **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. | ||
| - **Check for Serial Console Access**: If the `SendSerialConsoleSSHPublicKey` action was used, verify if the `ec2:EnableSerialConsoleAccess` permission was also used, which might indicate an attempt to enable and exploit the serial console. | ||
| ### False Positive Analysis: | ||
| - **Legitimate Administrative Actions**: Confirm if the SSH public key upload aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems. | ||
| - **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. | ||
| - **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy. | ||
| ### Response and Remediation: | ||
| - **Immediate Review and Reversal if Necessary**: If the upload was unauthorized, remove the uploaded SSH public key from the EC2 instance and review the instance's access logs for any suspicious activity. | ||
| - **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive instances or unusual file extensions. | ||
| - **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning SSH key management and the risks of unauthorized key uploads. | ||
| - **Audit EC2 Instance Policies and Permissions**: Conduct a comprehensive audit of all EC2 instance policies and associated permissions to ensure they adhere to the principle of least privilege. | ||
| - **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. | ||
| ### Additional Information: | ||
| For further guidance on managing EC2 instances and securing AWS environments, refer to the [AWS EC2 Instance Connect documentation](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html) and AWS best practices for security. Additionally, consult the following resources for specific details on SSH key management and privilege escalation techniques: | ||
| - [Stratus Red Team - AWS EC2 Instance Connect](https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/) | ||
| - [HackTricks - AWS EC2 Privilege Escalation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) | ||
| - [AWS EC2 Instance Connect API Reference](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html) | ||
| """ | ||
| references = [ | ||
| "https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/", | ||
| "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc", | ||
| "https://medium.parttimepolymath.net/aws-ec2-instance-connect-a-very-neat-trick-4d2fc0c28010", | ||
| "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html", | ||
| "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "873b5452-074e-11ef-852e-f661ea17fbcc" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS EC2", | ||
| "Use Case: Identity and Access Audit", | ||
| "Tactic: Privilege Escalation", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| event.dataset: aws.cloudtrail | ||
| and event.provider: ec2-instance-connect.amazonaws.com | ||
| and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey) | ||
| and event.outcome: success | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1098.004" | ||
| name = "SSH Authorized Keys" | ||
| reference = "https://attack.mitre.org/techniques/T1098/004/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0004" | ||
| name = "Privilege Escalation" | ||
| reference = "https://attack.mitre.org/tactics/TA0004/" | ||
|
|