panther-labs · arielkr256 · Oct 22, 2024 · Dec 2, 2024 · Jan 8, 2025 · Jan 8, 2025
@@ -183,6 +183,11 @@ PackDefinition:
     - AWS.Console.Login
     - Retrieve.SSO.access.token
     - Sign-in.with.AWS.CLI.prompt
+    # Stratus Red Team Rules
+    - AWS.SecretsManager.RetrieveSecretsMultiRegion
+    - AWS.SecretsManager.RetrieveSecrets
+    - AWS.SecretsManager.BatchRetrieveSecrets
+    - AWS.SecretsManager.BatchRetrieveSecretsCatchAll
     # Queries
     - AWS Potentially Stolen Service Role
     - Query.CloudTrail.Password.Spraying

@@ -0,0 +1,16 @@
+from panther_aws_helpers import aws_rule_context
+
+
+def rule(event):
+    if event.get("eventName") == "GetSecretValue":
+        return True
+    return False
+
+
+def title(event):
+    user = event.udm("actor_user")
+    return f"[{user}] attempted to retrieve a large number of secrets from AWS Secrets Manager"
+
+
+def alert_context(event):
+    return aws_rule_context(event)
@@ -0,0 +1,74 @@
+AnalysisType: rule
+Filename: aws_secretsmanager_retrieve_secrets.py
+RuleID: "AWS.SecretsManager.RetrieveSecrets"
+DisplayName: "EC2 Secrets Manager Retrieve Secrets"
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Tags:
+  - AWS
+  - Credential Access
+  - Stratus Red Team
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1552 # Credentials from Password Stores 
+Severity: Medium
+Description: An attacker attempted to retrieve a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.
+Runbook: https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets/
+Threshold: 20
+DedupPeriodMinutes: 60
+SummaryAttributes:
+  - eventName
+  - userAgent
+  - sourceIpAddress
+  - recipientAccountId
+  - p_any_aws_arns
+Tests:
+  - Name: GetSecretValue Denied
+    ExpectedResult: true
+    Log: {
+      "awsRegion": "us-west-2",
+      "eventCategory": "Management",
+      "eventID": "dfd6d93a-2ce6-4dbe-8939-86b8ba67c868",
+      "eventName": "GetSecretValue",
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventTime": "2024-10-17 21:48:45.000000000",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.09",
+      "managementEvent": true,
+      "readOnly": true,
+      "recipientAccountId": "123123123123",
+      "requestID": "5128b35f-0daf-4c5e-948a-21a1c507968c",
+      "requestParameters": {
+        "secretId": "arn:aws:secretsmanager:us-west-2:123123123123:secret:stratus-red-team-retrieve-secret-3-gscOm8",
+        "versionId": "7DC59E8B-63AE-454D-B7A4-8A7D64AB05E7"
+      },
+      "sourceIPAddress": "123.123.123.123",
+      "tlsDetails": {
+        "cipherSuite": "TLS_AES_128_GCM_SHA256",
+        "clientProvidedHostHeader": "secretsmanager.us-west-2.amazonaws.com",
+        "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) HashiCorp-terraform-exec/0.17.3",
+      "userIdentity": {
+        "accessKeyId": "ASIASXP6SDP2LKLKYYC4",
+        "accountId": "123123123123",
+        "arn": "arn:aws:sts::123123123123:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/evil.genius",
+        "principalId": "AROASXP6SDP2F4WLQVARB:evil.genius",
+        "sessionContext": {
+          "attributes": {
+            "creationDate": "2024-10-17T21:48:13Z",
+            "mfaAuthenticated": "false"
+          },
+          "sessionIssuer": {
+            "accountId": "123123123123",
+            "arn": "arn:aws:iam::123123123123:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin_635426549a280cc6",
+            "principalId": "AROASXP6SDP2F4WLQVARB",
+            "type": "Role",
+            "userName": "AWSReservedSSO_DevAdmin_635426549a280cc6"
+          }
+        },
+        "type": "AssumedRole"
+      }
+    }
@@ -0,0 +1,18 @@
+from panther_aws_helpers import aws_rule_context
+
+
+def rule(event):
+    if event.get("eventName") == "BatchGetSecretValue":
+        return True
+    return False
+
+
+def title(event):
+    user = event.udm("actor_user")
+    return (
+        f"[{user}] attempted to batch retrieve a large number of secrets from AWS Secrets Manager"
+    )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
@@ -0,0 +1,50 @@
+AnalysisType: rule
+Filename: aws_secretsmanager_retrieve_secrets_batch.py
+RuleID: "AWS.SecretsManager.BatchRetrieveSecrets"
+DisplayName: "AWS Secrets Manager Batch Retrieve Secrets"
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Tags:
+  - AWS
+  - Credential Access
+  - Stratus Red Team
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1552 # Credentials from Password Stores 
+Severity: Medium
+Description: >
+  An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). 
+  An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
+Runbook: https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
+Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets/
+Threshold: 5
+DedupPeriodMinutes: 60
+SummaryAttributes:
+  - eventName
+  - userAgent
+  - sourceIpAddress
+  - recipientAccountId
+  - p_any_aws_arns
+Tests:
+  - Name: BatchGetSecretValue
+    ExpectedResult: true
+    Log: {
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventName": "BatchGetSecretValue",
+      "requestParameters": {
+        "filters": [
+          {
+            "key": "tag-key",
+            "values": [
+              "StratusRedTeam"
+            ]
+          }
+        ]
+      },
+      "responseElements": null,
+      "readOnly": true,
+      "eventType": "AwsApiCall",
+      "managementEvent": true,
+      "recipientAccountId": "012345678901"
+    }
@@ -0,0 +1,27 @@
+from panther_aws_helpers import aws_rule_context
+
+
+def rule(event):
+    if event.get("eventName") != "BatchGetSecretValue":
+        return False
+
+    filters = event.deep_get("requestParameters", "filters", default=[])
+    for filt in filters:
+        if filt.get("key") != "tag-key":
+            return False
+        if any(not value.startswith("!") for value in filt.get("values")):
+            return False
+
+    return True
+
+
+def title(event):
+    user = event.udm("actor_user")
+    return (
+        f"[{user}] attempted to batch retrieve secrets from "
+        "AWS Secrets Manager with a catch-all filter"
+    )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
@@ -0,0 +1,79 @@
+AnalysisType: rule
+Filename: aws_secretsmanager_retrieve_secrets_catchall.py
+RuleID: "AWS.SecretsManager.BatchRetrieveSecretsCatchAll"
+DisplayName: "AWS Secrets Manager Batch Retrieve Secrets Catch-All"
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Tags:
+  - AWS
+  - Credential Access
+  - Stratus Red Team
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1552 # Credentials from Password Stores 
+Severity: Medium
+Description: >
+  An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). 
+  An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
+  Although BatchGetSecretValue requires a list of secret IDs or a filter, an attacker may use a catch-all filter to retrieve all secrets by batch.
+  This rule identifies BatchGetSecretValue events with a catch-all filter.
+Runbook: https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
+Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets/
+Threshold: 1
+DedupPeriodMinutes: 60
+SummaryAttributes:
+  - eventName
+  - userAgent
+  - sourceIpAddress
+  - recipientAccountId
+  - p_any_aws_arns
+Tests:
+  - Name: BatchGetSecretValue Catch-All
+    ExpectedResult: true
+    Log: {
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventName": "BatchGetSecretValue",
+      "requestParameters": {
+        "filters": [
+          {
+            "key": "tag-key",
+            "values": [
+              "!tagKeyThatWillNeverExist"
+            ]
+          }
+        ]
+      },
+      "responseElements": null,
+      "readOnly": true,
+      "eventType": "AwsApiCall",
+      "managementEvent": true,
+      "recipientAccountId": "012345678901"
+    }
+  - Name: BatchGetSecretValue Catch-All with other filters
+    ExpectedResult: false
+    Log: {
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventName": "BatchGetSecretValue",
+      "requestParameters": {
+        "filters": [
+          {
+            "key": "tag-key",
+            "values": [
+              "!tagKeyThatWillNeverExist"
+            ]
+          },
+          {
+            "key": "tag-key",
+            "values": [
+              "tagThatExists"
+            ]
+          }
+        ]
+      },
+      "responseElements": null,
+      "readOnly": true,
+      "eventType": "AwsApiCall",
+      "managementEvent": true,
+      "recipientAccountId": "012345678901"
+    }
@@ -0,0 +1,26 @@
+from panther_aws_helpers import aws_rule_context
+from panther_detection_helpers.caching import add_to_string_set
+
+RULE_ID = "AWS.SecretsManager.RetrieveSecretsMultiRegion"
+UNIQUE_REGION_THRESHOLD = 5
+WITHIN_TIMEFRAME_MINUTES = 10
+
+
+def rule(event):
+    if event.get("eventName") != "BatchGetSecretValue":
+        return False
+    user = event.udm("actor_user")
+    key = f"{RULE_ID}-{user}"
+    unique_regions = add_to_string_set(key, event.get("awsRegion"), WITHIN_TIMEFRAME_MINUTES * 60)
+    if len(unique_regions) >= UNIQUE_REGION_THRESHOLD:
+        return True
+    return False
+
+
+def title(event):
+    user = event.udm("actor_user")
+    return f"[{user}] attempted to retrieve secrets from AWS Secrets Manager in multiple regions"
+
+
+def alert_context(event):
+    return aws_rule_context(event)
@@ -0,0 +1,51 @@
+AnalysisType: rule
+Filename: aws_secretsmanager_retrieve_secrets_catchall.py
+RuleID: "AWS.SecretsManager.RetrieveSecretsMultiRegion"
+DisplayName: "AWS Secrets Manager Retrieve Secrets Multi-Region"
+Enabled: true
+LogTypes:
+  - AWS.CloudTrail
+Tags:
+  - AWS
+  - Credential Access
+  - Stratus Red Team
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1552 # Credentials from Password Stores 
+Severity: Medium
+Description: >
+  An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). 
+  An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
+  This rule identifies BatchGetSecretValue events for multiple regions in a short period of time.
+Runbook: https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
+Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets/
+Threshold: 1
+DedupPeriodMinutes: 60
+SummaryAttributes:
+  - eventName
+  - userAgent
+  - sourceIpAddress
+  - recipientAccountId
+  - p_any_aws_arns
+Tests:
+  - Name: BatchGetSecretValue Catch-All
+    ExpectedResult: true
+    Log: {
+      "eventSource": "secretsmanager.amazonaws.com",
+      "eventName": "BatchGetSecretValue",
+      "requestParameters": {
+        "filters": [
+          {
+            "key": "tag-key",
+            "values": [
+              "!tagKeyThatWillNeverExist"
+            ]
+          }
+        ]
+      },
+      "responseElements": null,
+      "readOnly": true,
+      "eventType": "AwsApiCall",
+      "managementEvent": true,
+      "recipientAccountId": "012345678901"
+    }