-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
more correlation rules from AWS re:inforce (#1289)
* more correlation rules from AWS re:inforce * unit tests
- Loading branch information
1 parent
20646a4
commit 6404644
Showing
2 changed files
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
AnalysisType: correlation_rule | ||
RuleID: "AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta" | ||
DisplayName: "AWS Console Sign-In NOT PRECEDED BY Okta Redirect" | ||
Enabled: false | ||
Tags: | ||
- AWS | ||
- Configuration Required | ||
- Okta | ||
- Actor Profiles | ||
Severity: High | ||
Description: A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta, both log sources configured, and Actor Profiles enabled. | ||
Detection: | ||
- Sequence: | ||
- ID: Okta SSO to AWS | ||
RuleID: Okta.SSO.to.AWS | ||
Absence: true | ||
- ID: AWS Console Sign-In | ||
RuleID: AWS.Console.Sign-In | ||
Transitions: | ||
- ID: Okta SSO to AWS TO AWS Console Sign-In ON username | ||
From: Okta SSO to AWS | ||
To: AWS Console Sign-In | ||
Match: | ||
- On: p_udm.user.id | ||
WithinTimeFrameMinutes: 15 | ||
Schedule: | ||
RateMinutes: 1440 | ||
TimeoutMinutes: 5 | ||
LookbackWindowMinutes: 1440 | ||
Tests: | ||
- Name: AWS Console Sign-In PRECEDED BY Okta Redirect | ||
ExpectedResult: false | ||
RuleOutputs: | ||
- ID: Okta SSO to AWS | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 0 | ||
- ID: AWS Console Sign-In | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 2 | ||
- Name: AWS Console Sign-In NOT PRECEDED BY Okta Redirect | ||
ExpectedResult: true | ||
RuleOutputs: | ||
- ID: AWS Console Sign-In | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 2 |
50 changes: 50 additions & 0 deletions
50
correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
AnalysisType: correlation_rule | ||
RuleID: "AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP" | ||
DisplayName: "AWS SSO Access Token Retrieved by Unauthenticated IP" | ||
Enabled: true | ||
Severity: Medium | ||
Description: |- | ||
When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts. | ||
In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level. | ||
Reference: https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/ | ||
Detection: | ||
- Sequence: | ||
- ID: Absent CLI Prompt | ||
RuleID: Sign-in.with.AWS.CLI.prompt | ||
Absence: true | ||
- ID: SSO Access Token Retrieved | ||
RuleID: Retrieve.SSO.access.token | ||
Transitions: | ||
- ID: Absent CLI Prompt TO Access Token Retrieved ON IP Addr | ||
From: Absent CLI Prompt | ||
To: SSO Access Token Retrieved | ||
WithinTimeFrameMinutes: 120 | ||
Match: | ||
- On: sourceIPAddress | ||
Schedule: | ||
RateMinutes: 1440 | ||
TimeoutMinutes: 5 | ||
LookbackWindowMinutes: 1440 | ||
Tests: | ||
- Name: AWS SSO Access Token Retrieved by Authenticated IP | ||
ExpectedResult: false | ||
RuleOutputs: | ||
- ID: Absent CLI Prompt | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 0 | ||
- ID: SSO Access Token Retrieved | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 2 | ||
- Name: AWS SSO Access Token Retrieved by Unauthenticated IP | ||
ExpectedResult: true | ||
RuleOutputs: | ||
- ID: SSO Access Token Retrieved | ||
Matches: | ||
p_udm.user.id: | ||
igor.stravinsky: | ||
- 2 |