At NetWitness, our methodology has always been to cater our community the means of accelerated threat detection, by making relevant resources available in the form of plugins, integrations, parsers, detection content, feeds and much more.
The cloud computing space has been on a speedy upward trajectory in terms of adoption, infrastructure and scaling from quite some time. The pandemic with it's new evolved style of connected workplaces has fueled cloud technologies to grow even further.
Within the last couple of months, some of the things we have built in this space are Universal Plugins for AWS, Universal Plugin for Microsoft Graph API, Anomalous Activity Detection Threat Content using AWS CloudTrail.
We have taken a step ahead and improved our existing Threat Detection Coverage by adding Log based Application Rules and Event Stream Analytics (ESA) Rules for Google Cloud Platform (GCP), and also updated the list of detections for AWS CloudTrail.
Application Rules:
- GCP - Critical changes to logging
Helps in detecting critical changes done to Pub/Sub or Logging Sources within a GCP Account. An adversary may disable cloud logging capabilities to limit what data is collected on their activities and avoid detection.
Generated Meta Keys: boc = gcp - critical changes to logging
- GCP - Unauthorized account activity
This rule detects Unauthorized Operations being carried out in a GCP Account. Adversaries may obtain and abuse credentials of a cloud account as a means of achieving Privilege Escalation.
Generated Meta Keys: boc = gcp - unauthorized account activity
- GCP - Multiple vm instances created
This rule triggers when 5 or more vm instances are launched within a single request by a single user entity in a GCP Account. It can be indicative of potential abuse of computing resources by an adversary.
Generated Meta Keys: boc = gcp - multiple vm instances created
- GCP - Admin privileges to service account
This rule triggers when admin or service owner privileges are assigned to a service account by a user entity in a GCP Account. Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to vm instances within the environment.
Generated Meta Keys: boc = gcp - admin privileges to service account
- GCP - Firewall rule modified
This rule detects important changes done to firewall configuration within a GCP Account. Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = gcp - firewall rule modified
- GCP - VPC modified
This rule detects important changes done to VPC configuration within a GCP Account. Adversaries may modify the VPC within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = gcp - vpc modified
- GCP - Network route modified
This rule detects important changes done to Network Route Configuration within a GCP Account. Adversaries may modify the Routing Table within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = gcp - network route modified
- AWS - Security group or network acl modified
This rule detects important changes done to security groups or network acls within an AWS Account. Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = aws - security group or network acl modified
- AWS - VPC modified
This rule detects important changes done to VPC and its configurations within an AWS Account. Adversaries may modify the VPC within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = aws - vpc modified
- AWS - Network route modified
This rule detects important changes done to network routes, which includes local, vpn, transit gateway routes within an AWS Account. Adversaries may modify the network routes within a cloud environment to bypass controls that limit access to cloud resources.
Generated Meta Keys: boc = aws - network route modified
- AWS - VPC flow logs modified
This rule detects important changes done to VPC Flow Logs within an AWS Account. An adversary may disable cloud logging capabilities to limit what data is collected on their activities and avoid detection.
Generated Meta Keys: boc = aws - vpc flow logs modified
Event Stream Analytics (ESA) Rules:
- GCP - Multiple custom roles created within a short period of time
This rule triggers when the specified number of Custom IAM Roles are created within the specified amount of time, in a GCP Account. It will help to detect unexpected and potentially malicious IAM activity.
- GCP - Multiple custom roles deleted within a short period of time
This rule triggers when the specified number of Custom IAM Roles are deleted within the specified amount of time, in a GCP Account. It will help to detect unexpected and potentially malicious IAM activity.
- GCP - Multiple project ownership invites created within a short period of time
This rule triggers when the specified number of invites are sent out for project ownership within the specified amount of time, in a GCP Account. It will help to detect unexpected and potentially malicious IAM activity.
- GCP - Multiple service account keys created within a short period of time
This rule triggers when the specified number of service account keys are created within the specified amount of time, in a GCP Account. Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
- GCP - Multiple service accounts created within a short period of time
This rule triggers when the specified number of service accounts are created within the specified amount of time, in a GCP Account. Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
- GCP - Multiple service accounts deleted within a short period of time
This rule triggers when the specified number of service accounts are deleted within the specified amount of time, in a GCP Account. Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
- GCP - Multiple vm instances created in multiple zones within a short period of time
This rule triggers when the specified number of VM instances are created in multiple zones within the specified amount of time, in a GCP Account. An adversary may create a vm within the compute service of a cloud account to evade defenses.
- GCP - Multiple vm instances created within a short period of time
This rule triggers when the specified number of VM instances are created within the specified amount of time, in a GCP Account. An adversary may create a vm within the compute service of a cloud account to evade defenses.
- GCP - Multiple vm instances deleted within a short period of time
This rule triggers when the specified number of VM instances are deleted within the specified amount of time, in a GCP Account. An adversary may delete a vm instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.
- GCP - Buckets enumerated*
This rule triggers when specified number of buckets are listed by a single user entity within the specified amount of time, in a GCP Account. It can be indicative of recon activity and potential compromise.
- GCP - Mass copy objects**
This rule triggers when specified number of storage objects are copied by a single user entity within the specified amount of time, in a GCP Account. It can be indicative of potential abuse of storage resources and exfiltration by an adversary.
- GCP - Mass delete objects**
This rule triggers when specified number of storage objects are deleted by a single user entity within the specified amount of time, in a GCP Account. It can be indicative of potential abuse of storage resources and exfiltration by an adversary.
- GCP - Multiple API services modified within a short period of time
This rule triggers when the specified number of API Service Endpoints are modified within the specified amount of time, in a GCP Account. Adversaries may use this information during to shape follow-on behaviors.
* Please note that Admin Read Permission needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work. More on this here.
** Please note that Data Read & Data Write Permissions needs to be enabled within Audit Logging for Google Cloud Storage for this detection to work.
# The Application & ESA Rules listed above may generate false positives. As each environment is unique, the filtering/whitelisting should be done on an individual basis.
Dependencies:
- Log Device/Parser: GCP
GCP Log Device/Parser needs be deployed from NW Live to handle and process the incoming events from your account respectively.
We have used custom meta keys for our detection queries to work. Thus, below lines have to be added to the table-map-custom.xml file on the Log Decoder,
<mapping envisionName="cs.accesskeyid" nwName="cs.accesskeyid" flags="None" format="Text"/>
<mapping envisionName="cs.imageid" nwName="cs.imageid" flags="None" format="Text"/>
<mapping envisionName="cs.projectid" nwName="cs.projectid" flags="None" format="Text"/>
<mapping envisionName="cs.statuscode" nwName="cs.statuscode" flags="None" format="Text"/>
<mapping envisionName="cs.instancetype" nwName="cs.instancetype" flags="None" format="Text"/>
<mapping envisionName="cs.instancekey" nwName="cs.instancekey" flags="None" format="Text"/>
<mapping envisionName="cs.policyaction" nwName="cs.policyaction" flags="None" format="Text"/>
<mapping envisionName="cs.policyrole" nwName="cs.policyrole" flags="None" format="Text"/>
<mapping envisionName="cs.policymember" nwName="cs.policymember" flags="None" format="Text"/>
- Log Collector: Google Cloud Platform Event Source/Plugin
The Plugin needs to be deployed from NW Live and the event source needs to be configured properly in order to receive the events in JSON format.
More on this here.
References: