Creation of Access Key for IAM User

Back


Id	9a6554e6-63d9-4f94-9b32-64d1d40628f2
Rulename	Creation of Access Key for IAM User
Description	Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	AWS
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Version	1.0.1
Arm template	9a6554e6-63d9-4f94-9b32-64d1d40628f2.json

KQL

AWSCloudTrail
| where EventName == "CreateAccessKey" 
| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

YAML

entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
queryFrequency: 15m
status: Available
relevantTechniques:
- T1098
triggerOperator: gt
id: 9a6554e6-63d9-4f94-9b32-64d1d40628f2
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
version: 1.0.1
name: Creation of Access Key for IAM User
description: |
    'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'
query: |
  AWSCloudTrail
  | where EventName == "CreateAccessKey" 
  | project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
tactics:
- Persistence
queryPeriod: 15m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "properties": {
        "alertRuleTemplateName": "9a6554e6-63d9-4f94-9b32-64d1d40628f2",
        "customDetails": null,
        "description": "'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'\n",
        "displayName": "Creation of Access Key for IAM User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml",
        "query": "AWSCloudTrail\n| where EventName == \"CreateAccessKey\" \n| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}