[New Rule] Adding Coverage for `Unusual AWS S3 Object Encryption with…

… SSE-C` (elastic#4377) * new rule 'Unusual AWS S3 Object Encryption with SSE-C' * updated pyproject patch version * bump repo version * Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml * updating patch version * updating patch version * Adding additional threshold rule
MakoWish · Jan 15, 2025 · 5162067 · 5162067
1 parent c04ae6d
commit 5162067
Show file tree

Hide file tree

Showing 4 changed files with 284 additions and 1 deletion.
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -158,6 +158,10 @@
     "aws.cloudtrail.flattened.request_parameters.roleName": "keyword",
     "aws.cloudtrail.flattened.request_parameters.policyArn": "keyword",
     "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm": "keyword",
+    "aws.cloudtrail.flattened.additional_eventdata.SSEApplied": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.bucketName": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.key": "keyword",
     "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword"
   },
   "logs-azure.signinlogs-*": {

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.3.18"
+version = "0.3.19"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

diff --git a/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml
@@ -0,0 +1,128 @@
+[metadata]
+creation_date = "2025/01/15"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a high-volume of AWS S3 objects stored in a bucket using using Server-Side Encryption with Customer-Provided Keys
+(SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption
+keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to
+extort the bucket owner for the decryption key. This is a [Threshold](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-threshold-rule) rule that flags when
+this behavior is observed for a specific bucket more than 15 times in a short time-window.
+"""
+false_positives = [
+    """
+    Legitimate use of Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects in an S3 bucket.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Excessive AWS S3 Object Encryption with SSE-C"
+note = """### Triage and Analysis
+
+#### Investigating Excessive AWS S3 Object Encryption with SSE-C
+This rule identifies a high volume of objects being encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3. This could indicate malicious activity, such as ransomware encrypting objects, rendering them inaccessible without the corresponding encryption keys.
+
+##### Possible Investigation Steps
+
+1. **Identify the User and Source**:
+   - Review the `aws.cloudtrail.user_identity.arn` to identify the IAM user or role performing the operation.
+   - Cross-check the `source.ip` and `user_agent.original` fields for unusual IPs or user agents that could indicate unauthorized access.
+   - Review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used. This could be a compromised key.
+
+2. **Examine the Targeted Resources**:
+   - Check `aws.cloudtrail.flattened.request_parameters.bucketName` to identify the bucket involved.
+   - Analyze the object key from `aws.cloudtrail.flattened.request_parameters.key`.
+
+3. **Evaluate Encryption Behavior**:
+   - Confirm the encryption details in `aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm` and `aws.cloudtrail.flattened.additional_eventdata.SSEApplied`.
+   - Note if `SSEApplied` is `SSE-C`, which confirms encryption using a customer-provided key.
+
+4. **Correlate with Recent Events**:
+   - Look for any suspicious activity in proximity to the encryption event, such as new access key creation, policy changes, or unusual access patterns from the same user or IP.
+   - Identify `ListBucket` or `GetObject` operations on the same bucket to determine all affected objects.
+   - For `PutObject` events, identify any other unusual objecs uploaded such as a ransom note.
+
+5. **Validate Access Permissions**:
+   - Check the IAM policies and roles associated with the user to verify if they had legitimate access to encrypt objects.
+
+6. **Assess Impact**:
+   - Identify the number of encrypted objects in the bucket by examining other similar events.
+   - Determine if this encryption aligns with standard business practices or constitutes a deviation.
+
+### False Positive Analysis
+
+- **Legitimate Use Cases**:
+  - Confirm if SSE-C encryption is part of regular operations for compliance or data protection.
+  - Cross-reference known processes or users authorized for SSE-C encryption in the affected bucket.
+
+### Response and Remediation
+
+1. **Immediate Actions**:
+   - Disable access keys or permissions for the user if unauthorized behavior is confirmed.
+   - Rotate the bucket's encryption configuration to mitigate further misuse.
+
+2. **Data Recovery**:
+   - Attempt to identify and contact the party holding the SSE-C encryption keys if recovery is necessary.
+
+3. **Enhance Monitoring**:
+   - Enable alerts for future SSE-C encryption attempts in critical buckets.
+   - Review and tighten IAM policies for roles and users accessing S3.
+
+4. **Post-Incident Review**:
+   - Audit logs for additional activities by the same user or IP.
+   - Document findings and apply lessons learned to improve preventive measures.
+"""
+references = [
+    "https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c",
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html",
+]
+risk_score = 73
+rule_id = "909bf7c8-d371-11ef-bcc3-f661ea17fbcd"
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Resources: Investigation Guide",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "s3.amazonaws.com"
+    and event.action: "PutObject"
+    and event.outcome: "success"
+    and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256"
+    and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1486"
+name = "Data Encrypted for Impact"
+reference = "https://attack.mitre.org/techniques/T1486/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.threshold]
+field = ["aws.cloudtrail.flattened.request_parameters.bucketName"]
+value = 20
+
+
diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
@@ -0,0 +1,151 @@
+[metadata]
+creation_date = "2025/01/15"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys
+(SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption
+keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to
+extort the bucket owner for the decryption key. This is a [New
+Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that flags when
+this behavior is observed for the first time in the last 14 days by the user ARN and target bucket name.
+"""
+false_positives = [
+    """
+    Legitimate use of Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects in an S3 bucket.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual AWS S3 Object Encryption with SSE-C"
+note = """### Triage and Analysis
+
+#### Investigating Unusual AWS S3 Object Encryption with SSE-C
+This rule identifies the use of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3. This could indicate malicious activity, such as ransomware encrypting objects, rendering them inaccessible without the corresponding encryption keys.
+
+##### Possible Investigation Steps
+
+1. **Identify the User and Source**:
+   - Review the `aws.cloudtrail.user_identity.arn` to identify the IAM user or role performing the operation.
+   - Cross-check the `source.ip` and `user_agent.original` fields for unusual IPs or user agents that could indicate unauthorized access.
+   - Review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used. This could be a compromised key.
+
+2. **Examine the Targeted Resources**:
+   - Check `aws.cloudtrail.flattened.request_parameters.bucketName` to identify the bucket involved.
+   - Analyze the object key from `aws.cloudtrail.flattened.request_parameters.key`.
+
+3. **Evaluate Encryption Behavior**:
+   - Confirm the encryption details in `aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm` and `aws.cloudtrail.flattened.additional_eventdata.SSEApplied`.
+   - Note if `SSEApplied` is `SSE-C`, which confirms encryption using a customer-provided key.
+
+4. **Correlate with Recent Events**:
+   - Look for any suspicious activity in proximity to the encryption event, such as new access key creation, policy changes, or unusual access patterns from the same user or IP.
+   - Identify `ListBucket` or `GetObject` operations on the same bucket to determine all affected objects.
+   - For `PutObject` events, identify any other unusual objecs uploaded such as a ransom note.
+
+5. **Validate Access Permissions**:
+   - Check the IAM policies and roles associated with the user to verify if they had legitimate access to encrypt objects.
+
+6. **Assess Impact**:
+   - Identify the number of encrypted objects in the bucket by examining other similar events.
+   - Determine if this encryption aligns with standard business practices or constitutes a deviation.
+
+### False Positive Analysis
+
+- **Legitimate Use Cases**:
+  - Confirm if SSE-C encryption is part of regular operations for compliance or data protection.
+  - Cross-reference known processes or users authorized for SSE-C encryption in the affected bucket.
+
+### Response and Remediation
+
+1. **Immediate Actions**:
+   - Disable access keys or permissions for the user if unauthorized behavior is confirmed.
+   - Rotate the bucket's encryption configuration to mitigate further misuse.
+
+2. **Data Recovery**:
+   - Attempt to identify and contact the party holding the SSE-C encryption keys if recovery is necessary.
+
+3. **Enhance Monitoring**:
+   - Enable alerts for future SSE-C encryption attempts in critical buckets.
+   - Review and tighten IAM policies for roles and users accessing S3.
+
+4. **Post-Incident Review**:
+   - Audit logs for additional activities by the same user or IP.
+   - Document findings and apply lessons learned to improve preventive measures.
+"""
+references = [
+    "https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c",
+    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html",
+]
+risk_score = 73
+rule_id = "c1a9ed70-d349-11ef-841c-f661ea17fbcd"
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Resources: Investigation Guide",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "s3.amazonaws.com"
+    and event.action: "PutObject"
+    and event.outcome: "success"
+    and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256"
+    and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1486"
+name = "Data Encrypted for Impact"
+reference = "https://attack.mitre.org/techniques/T1486/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "event.action",
+    "event.outcome",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.flattened.request_parameters.bucketName",
+    "aws.cloudtrail.flattened.request_parameters.key",
+    "aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm",
+    "aws.cloudtrail.flattened.additional_eventdata.SSEApplied",
+    "aws.cloudtrail.response_elements",
+    "source.ip",
+    "user_agent.original",
+    "cloud.region",
+    "cloud.account.id",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.bucketName"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+