Suspicious AWS CLI Command Execution
| Id | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59 |
| Rulename | Suspicious AWS CLI Command Execution |
| Description | This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations. |
| Severity | Medium |
| Tactics | Reconnaissance |
| Techniques | T1595 T1592.004 T1589.002 T1589.003 T1590 T1591 T1596 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml |
| Version | 1.0.0 |
| Arm template | 8c2dc344-9352-4ca1-8863-b1b7a5e09e59.json |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
severity: Medium
name: Suspicious AWS CLI Command Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
id: 8c2dc344-9352-4ca1-8863-b1b7a5e09e59
tactics:
- Reconnaissance
queryFrequency: 1d
triggerOperator: gt
customDetails:
AWSUserIp: SourceIpAddress
AWSUser: UserIdentityUserName
SuspiciousCommand: commands
description: |
'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.'
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1595
- T1592.004
- T1589.002
- T1589.003
- T1590
- T1591
- T1596
query: |
let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');
// Retrieve AWS CloudTrail events
AWSCloudTrail
// Filter events with UserAgent starting with "aws-cli"
| where UserAgent startswith "aws-cli"
// Extract the command from the UserAgent using string splitting
| extend command = tostring(split(UserAgent, "off command/", 1)[0])
// Filter events based on predefined suspicious command list
| where command has_any (SuspiciousCommands)
// Summarize relevant information for further analysis
| summarize
CommadCount = dcount(command),
EventCount = dcount(EventName),
commands = make_list(command),
Events = make_list(EventName)
by
bin(TimeGenerated, 1min),
UserIdentityUserName,
SourceIpAddress,
SessionMfaAuthenticated
// Filter out results with a sufficient count of unique suspicious commands in 1 min time window
| where CommadCount >= 8
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
version: 1.0.0
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c2dc344-9352-4ca1-8863-b1b7a5e09e59')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c2dc344-9352-4ca1-8863-b1b7a5e09e59')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Suspicious AWS CLI Command Execution",
"description": "'This detection focuses on identifying potentially suspicious activities involving the execution of AWS Command Line Interface (CLI) commands, particularly focusing on reconnaissance operations.'\n",
"severity": "Medium",
"enabled": true,
"query": "let SuspiciousCommands= pack_array('iam.list-users', 'iam.list-groups', 'ec2.describe-vpcs', 'ec2.describe-subnets', 'route53.list-hosted-zones', 'kms.list-keys', 'kms.list-aliases', 'ecs.list-clusters', 'ecs.list-services', 'iam.list-roles', 'iam.get-user''iam.list-access-keys', 'ec2.describe-security-groups', 'ec2.describe-network-acls', 'ec2.describe-network-interfaces', 'ec2.describe-route-tables', 'ec2.describe-internet-gateways', 'ec2.describe-vpc-peering-connections', 'ec2.describe-network-interfaces', 'ec2.describe-network-interfaces', 'ec2.describe-transit-gateway-vpc-attachment', 'ec2.describe-vpc');\n// Retrieve AWS CloudTrail events\nAWSCloudTrail \n// Filter events with UserAgent starting with \"aws-cli\"\n| where UserAgent startswith \"aws-cli\" \n// Extract the command from the UserAgent using string splitting\n| extend command = tostring(split(UserAgent, \"off command/\", 1)[0]) \n// Filter events based on predefined suspicious command list\n| where command has_any (SuspiciousCommands) \n// Summarize relevant information for further analysis\n| summarize \n CommadCount = dcount(command), \n EventCount = dcount(EventName), \n commands = make_list(command), \n Events = make_list(EventName) \n by \n bin(TimeGenerated, 1min), \n UserIdentityUserName, \n SourceIpAddress, \n SessionMfaAuthenticated \n// Filter out results with a sufficient count of unique suspicious commands in 1 min time window\n| where CommadCount >= 8\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance"
],
"techniques": [
"T1595",
"T1592.004",
"T1589.002",
"T1589.003",
"T1590",
"T1591",
"T1596"
],
"alertRuleTemplateName": "8c2dc344-9352-4ca1-8863-b1b7a5e09e59",
"customDetails": {
"SuspiciousCommand": "commands",
"AWSUserIp": "SourceIpAddress",
"AWSUser": "UserIdentityUserName"
},
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml",
"templateVersion": "1.0.0"
}
}
]
}