Creation of Access Key for IAM User

Back


Id	9a6554e6-63d9-4f94-9b32-64d1d40628f2
Rulename	Creation of Access Key for IAM User
Description	Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	AWS
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Version	1.0.1
Arm template	9a6554e6-63d9-4f94-9b32-64d1d40628f2.json

KQL

AWSCloudTrail
| where EventName == "CreateAccessKey" 
| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

YAML

kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
description: |
    'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'
severity: Medium
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1098
status: Available
tactics:
- Persistence
name: Creation of Access Key for IAM User
id: 9a6554e6-63d9-4f94-9b32-64d1d40628f2
query: |
  AWSCloudTrail
  | where EventName == "CreateAccessKey" 
  | project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
queryPeriod: 15m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "properties": {
        "alertRuleTemplateName": "9a6554e6-63d9-4f94-9b32-64d1d40628f2",
        "customDetails": null,
        "description": "'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'\n",
        "displayName": "Creation of Access Key for IAM User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml",
        "query": "AWSCloudTrail\n| where EventName == \"CreateAccessKey\" \n| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}