#splunk
Hypothesis : Adversary can query instance metadata for misconfigured Ec2 acting as Proxy, to retrieve temporary credentials.
Scenario : Attacker retrieved temporary credentials, which he later used to exfiltrate data from S3 Bucket
SPL :
Activities from outside our network
index="aws-test" sourcetype="_json"
| search NOT sourceIPAddress IN (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12)
Activities performed by this sourceIP:
index="aws-test" sourcetype="_json" sourceIPAddress="1.2.3.4"
| stats count values(eventName) by userIdentity.arn userIdentity.principalId userIdentity.accessKeyId userIdentity.type userIdentity.accountId
Other information w.r.t compromised token/Access Key
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX"
S3 Data Exfiltrated by being downloaded by outside host
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX" eventSource=s3*
| stats count values(eventName) values(resources{}.*) as * by requestParameters.bucketName sourceIPAddress
OR
index="aws-test" sourcetype="_json" "ASIA5FLZVX4OPVKKVBMX" eventSource=s3*
| stats count values(resources{}.*) as * by requestParameters.bucketName sourceIPAddress eventName
Temporary credentials retrieved by querying instance metadata
index="aws-test" sourcetype="_json" eventSource=sts*
| stats values(responseElements.credentials.*) as * values(resources{}.*) as * by sourceIPAddress userIdentity.invokedBy @timestamp
Смотрите видео #splunk онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь cybersecnerd 19 Июнь 2022, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 652 раз и оно понравилось 13 людям.