Suspicious AWS CLI Command Execution
| Id | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59 |
| Rulename | Suspicious AWS CLI Command Execution |
| Description | This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations. |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1595 T1592.004 T1589.002 T1589.003 T1590 T1591 T1596 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml |
| Version | 1.0.1 |
| Arm template | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59.json |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
RecipientAccountId, AccountName, AccountUPNSuffix,
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
queryPeriod: 1d
query: |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
RecipientAccountId, AccountName, AccountUPNSuffix,
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
version: 1.0.1
name: Suspicious AWS CLI Command Execution
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
- columnName: RecipientAccountId
identifier: CloudAppAccountId
entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
description: |
'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.'
kind: Scheduled
queryFrequency: 1d
severity: Medium
relevantTechniques:
- T1595
- T1592.004
- T1589.002
- T1589.003
- T1590
- T1591
- T1596
triggerOperator: gt
triggerThreshold: 0
customDetails:
AWSUserIp: SourceIpAddress
AWSUser: UserIdentityUserName
SuspiciousCommand: commands
tactics:
- Reconnaissance
id: 8c2dc344-9352-4ca1-8863-b1b7a5e09e59