Skip to main content

 

Splunk Lantern

Detecting ransomware activities within AWS environments

 

You are an Amazon Web Services (AWS) admin who manages AWS resources and services across your organization. As part of your role, you need to be able to detect potential ransomware attacks that occur via your AWS resources.

Cloud ransomware can be deployed when attackers obtain high-privileged credentials from targeted users or resources. The searches in this use case help you to detect when users in your AWS environment are performing activities that are commonly associated with ransomware attacks, namely through the creation of KMS keys and encryption activities.

How to use Splunk software for this use case

  • Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
  • To optimize the searches, you should specify an index and a time range when appropriate. 
  • Install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

AWS users creating KMS keys where kms:Encrypt is publicly accessible

This search provides detection of newly created Key Management Service (KMS) keys or keys that have been assigned a policy for access, where the action kms:Encrypt is accessible for everyone, even people outside of your organization. This is an indicator that your account is compromised and the attacker is using the encryption key to compromise another company.

| search (sourcetype=aws:cloudtrail (eventName=CreateKey OR eventName=PutKeyPolicy)) 
| spath input=requestParameters.policy output=key_policy_statements path=Statement{} 
| mvexpand key_policy_statements 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=key_policy_action_2 path=Action{} 
| eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2) 
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
| search (key_policy_action="kms:Encrypt" key_policy_principal="*") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY eventName eventSource eventID awsRegion userIdentity.principalId 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

AWS users with KMS keys performing encryption in S3 buckets

This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.

| search (eventName=CopyObject "requestParameters.x-amz-server-side-encryption"="aws:kms" sourcetype=aws:cloudtrail) 
| rename "requestParameters.x-amz-copy-source" AS src_file, "requestParameters.key" AS dest_file 
| stats count min(_time) AS firstTime max(_time) AS lastTime values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src BY user 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your cloud security posture, including:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.