#splunk
Hypothesis : Adversary can query instance metadata for misconfigured Ec2 acting as Proxy, to retrieve temporary credentials.
Scenario : Attacker retrieved temporary credentials, which he later used to exfiltrate data from S3 Bucket
SPL :
Activities from outside our network
index="aws-test" sourcetype="_json"
| search NOT sourceIPAddress IN (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
Activities performed by this sourceIP:
index="aws-test" sourcetype="_json" sourceIPAddress="1.2.3.4"
| stats count values(eventName) by userIdentity.arn userIdentity.principalId userIdentity.accessKeyId userIdentity.type userIdentity.accountId
Other information w.r.t compromised token/Access Key
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX"
S3 Data Exfiltrated by being downloaded by outside host
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX" eventSource=s3*
| stats count values(eventName) values(resources{}.*) as * by requestParameters.bucketName sourceIPAddress
OR
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX" eventSource=s3*
| stats count values(resources{}.*) as * by requestParameters.bucketName sourceIPAddress eventName
Temporary credentials retrieved by querying instance metadata
index="aws-test" sourcetype="_json" eventSource=sts*
| stats values(responseElements.credentials.*) as * values(resources{}.*) as * by sourceIPAddress userIdentity.invokedBy @timestamp
Watch video #splunk online without registration, duration hours minute second in high quality. This video was added by user cybersecnerd 19 June 2022, don't forget to share it with your friends and acquaintances, it has been viewed on our site 652 once and liked it 13 people.