Suspicious AWS CLI Command Execution
| Id | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59 |
| Rulename | Suspicious AWS CLI Command Execution |
| Description | This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations. |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1595 T1592.004 T1589.002 T1589.003 T1590 T1591 T1596 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml |
| Version | 1.0.1 |
| Arm template | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59.json |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
RecipientAccountId, AccountName, AccountUPNSuffix,
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
relevantTechniques:
- T1595
- T1592.004
- T1589.002
- T1589.003
- T1590
- T1591
- T1596
name: Suspicious AWS CLI Command Execution
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
entityType: Account
triggerThreshold: 0
id: 8c2dc344-9352-4ca1-8863-b1b7a5e09e59
tactics:
- Reconnaissance
version: 1.0.1
customDetails:
AWSUserIp: SourceIpAddress
SuspiciousCommand: commands
AWSUser: UserIdentityUserName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: Medium
description: |
'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.'
query: |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
RecipientAccountId, AccountName, AccountUPNSuffix,
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c2dc344-9352-4ca1-8863-b1b7a5e09e59')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c2dc344-9352-4ca1-8863-b1b7a5e09e59')]",
"properties": {
"alertRuleTemplateName": "8c2dc344-9352-4ca1-8863-b1b7a5e09e59",
"customDetails": {
"AWSUser": "UserIdentityUserName",
"AWSUserIp": "SourceIpAddress",
"SuspiciousCommand": "commands"
},
"description": "'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.'\n",
"displayName": "Suspicious AWS CLI Command Execution",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml",
"query": "let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');\n// Retrieve AWS CloudTrail events\nAWSCloudTrail \n// Filter events with UserAgent starting with \"aws-cli\"\n| where UserAgent startswith \"aws-cli\" \n// Extract the command from the UserAgent using string splitting\n| extend command = tostring(split(UserAgent, \"off command/\", 1)[0]) \n// Filter events based on predefined suspicious command list\n| where command has_any (SuspiciousCommands) \n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n// Summarize relevant information for further analysis\n| summarize \n CommadCount = dcount(command), \n EventCount = dcount(EventName), \n commands = make_list(command), \n Events = make_list(EventName) \n by \n bin(TimeGenerated, 1min), \n RecipientAccountId, AccountName, AccountUPNSuffix, \n UserIdentityUserName, \n SourceIpAddress, \n SessionMfaAuthenticated \n// Filter out results with a sufficient count of unique suspicious commands in 1 min time window\n| where CommadCount >= 8\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [
"T1592.004",
"T1589.002",
"T1589.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance"
],
"techniques": [
"T1589",
"T1590",
"T1591",
"T1592",
"T1595",
"T1596"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}