Query Details

AWS Cloud Trail AWS Suspicious Command EC2

Query

let query_period = 1d;
let query_frequency = 1h;
AWSCloudTrail
| where TimeGenerated > ago(query_period)
| where EventName in ("SendCommand", "CreateAssociation", "UpdateAssociation", "CreateAssociationBatch")
| extend DynamicRequestParameters = todynamic(RequestParameters)
| mv-expand DynamicRequestParameter = iff(EventName == "CreateAssociationBatch", DynamicRequestParameters["Entries"], DynamicRequestParameters)
| extend OutputS3BucketName = case(
    EventName == "SendCommand", tostring(DynamicRequestParameter["OutputS3BucketName"]),
    EventName in ("CreateAssociation", "UpdateAssociation", "CreateAssociationBatch"), tostring(DynamicRequestParameter["OutputLocation"]["S3Location"]["OutputS3BucketName"]),
    "")
| where isnotempty(OutputS3BucketName)
| join kind=leftouter (
    AWSCloudTrail
    | where TimeGenerated > ago(query_frequency)
    | where EventName == "PutObject"
    | project
        BucketName = tostring(todynamic(RequestParameters)["bucketName"]),
        PutObject_TimeGenerated = TimeGenerated,
        PutObject_Resources = Resources
    ) on $left.OutputS3BucketName == $right.BucketName
| mv-expand Resource = todynamic(PutObject_Resources)
| where tostring(Resource["type"]) == "AWS::S3::Bucket"
| extend BucketAccountId = tostring(Resource["accountId"])
| where RecipientAccountId != BucketAccountId
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    OutputS3BucketName,
    PutObject_TimeGenerated,
    PutObject_Resources,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query is designed to monitor and analyze specific AWS CloudTrail events related to S3 bucket operations over a defined period. Here's a simplified breakdown of what the query does:

  1. Define Time Periods:

    • query_period is set to 1 day, and query_frequency is set to 1 hour.
  2. Filter Events:

    • It looks for CloudTrail events that occurred within the last day (query_period) with specific event names: "SendCommand", "CreateAssociation", "UpdateAssociation", and "CreateAssociationBatch".
  3. Extract S3 Bucket Information:

    • It extracts the S3 bucket name from the request parameters of these events. The extraction method varies slightly depending on the event type.
  4. Filter Non-Empty Bucket Names:

    • It ensures that only events with a specified S3 bucket name are considered.
  5. Join with Recent PutObject Events:

    • It performs a left outer join with recent "PutObject" events (within the last hour, query_frequency) to find any objects that were put into the identified S3 buckets.
  6. Expand and Filter Resources:

    • It expands the resources involved in the "PutObject" events and filters to ensure the resource type is "AWS::S3::Bucket".
  7. Account ID Check:

    • It checks if the account ID of the bucket owner is different from the recipient account ID, indicating cross-account access.
  8. Invoke AWS Identity Role:

    • It calls a function to retrieve additional identity role information.
  9. Project Relevant Information:

    • Finally, it selects and displays a wide range of information about the events, including user identity details, event metadata, and bucket information.

In summary, this query identifies and analyzes specific AWS operations involving S3 buckets, focusing on cross-account access and recent object uploads, providing detailed insights into these activities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AwscloudtrailRequestparametersResourcesUseridentitytypeIdentityActorroleUseridentityaccountidUseridentityaccountnameRecipientaccountidRecipientaccountnameAwsregionSessioncreationdateUseridentityprincipalidUseridentityarnSourceipaddressEventsourceEventtypenameEventnameManagementeventReadonlyErrorcodeErrormessageOutputS3bucketnamePutobjecttimegeneratedPutobjectresourcesSessionmfaauthenticatedUseragentAwseventid

Operators

letagoinextendtodynamicmv-expandiffcasetostringisnotemptyjoinprojectoninvoke

Actions

GitHub