Detecting cloud federated credential abuse in AWS

Data required

• Amazon Web Services: CloudTrail and CloudWatch

How to use Splunk software for this use case

• Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
• To optimize the searches, you should specify an index and a time range when appropriate. 
• Install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

► Detect AWS SAML access

You can use this search to detect abnormal AWS SAML access, or credential hijacking or forgery in federated environments using SAML protocol inside the perimeter or cloud provider.

| search (eventName=Assumerolewithsaml sourcetype=aws:cloudtrail) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► AWS SAML update identity provider

This search detects updates to a SAML provider in AWS. Updates to a SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by the attacker.

This search may return false positives since updating a SAML provider or creating a new one may not necessarily be malicious.

| search (eventName=UpdateSAMLProvider sourcetype=aws:cloudtrail) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Certutil exe certificate extraction

Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

This search looks for arguments to certutil.exe that indicate the manipulation or extraction of the certificate. This certificate can then be used to sign new authentication tokens, especially inside federated environments such as Windows ADFS.

Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of a certificate has been observed during attacks such as Golden SAML and other campaigns targeting federated services.

| tstats allow_old_summaries=true count, min(_time) AS firstTime, values("Processes.process") AS process, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=certutil.exe "Processes.process"="* -exportPFX *") BY "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Registry keys used for privilege escalation

• To successfully implement this search, ensure that your deployment is ingesting data that records registry activity from your hosts to populate the Endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.
• Click here for a full explanation of how this search works.

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

False positives from this search may occur since there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.

| tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
| rename "Registry.*" AS "*"

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:

• Detecting AWS cross-account activity
• Detecting AWS suspicious provisioning activities
• Detecting Google Cloud Platform (GCP) cross-account activity
• Detecting Office 365 attacks
• Detecting privilege escalation in your AWS environment
• Detecting suspicious cloud authentication activities
• Monitoring user activity spikes in AWS