AWS Cloud Trail Aws Defense Evasion Putbucketlifecycle

let threshold_days = 7; let _ExcludedEventNames = dynamic(["PutBucketLifecycle"]); let _ExcludedRoleIdentityRegex = toscalar( _GetWatchlist("Activity-ExpectedSignificantActivity") | where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExcludedEventNames) | summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName)) | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$") ); AWSCloudTrail | where EventName == "PutBucketLifecycle" | extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1]) | where not(EventName in (_ExcludedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExcludedRoleIdentityRegex) | extend RequestParameters = todynamic(RequestParameters) | mv-expand Rule = iff(isempty(array_length(RequestParameters["LifecycleConfiguration"]["Rule"])), pack_array(RequestParameters["LifecycleConfiguration"]["Rule"]), RequestParameters["LifecycleConfiguration"]["Rule"]) | extend ExpirationDays = toint(Rule["Expiration"]["Days"]) | where ExpirationDays < threshold_days | invoke AWSIdentityRole() | project TimeGenerated, UserIdentityType, Identity, ActorRole, UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName, SessionCreationDate, UserIdentityPrincipalid, UserIdentityArn, SourceIpAddress, EventSource, EventTypeName, EventName, ManagementEvent, ReadOnly, ErrorCode, ErrorMessage, ExpirationDays, RequestParameters, ResponseElements, Resources, SessionMfaAuthenticated, UserAgent, AwsEventId

Explanation

The query filters AWS CloudTrail events based on certain conditions. It excludes events with the name "PutBucketLifecycle" and events where the combination of SessionIssuerUserName and UserIdentityUserName matches a regular expression obtained from a watchlist. It then expands the RequestParameters field, filters events where the ExpirationDays is less than a specified threshold, and invokes the AWSIdentityRole function. Finally, it selects specific fields from the events.

Details

Jose Sebastián Canós

Released: February 13, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,PutBucketLifecycle,UserIdentityPrincipalid,SessionIssuerUserName,SessionCreationDate,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,ExpirationDays,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

|,let,threshold_days,=,7,;,let,_ExcludedEventNames,=,dynamic(["PutBucketLifecycle"]),;,let,_ExcludedRoleIdentityRegex,=,toscalar(_GetWatchlist("Activity-ExpectedSignificantActivity")|,where,Activity,==,"AWSAssumedRoleIdentityEventName_Regex",and,Auxiliar,has_any,(_ExcludedEventNames),|,summarize,RegEx,=,make_set(strcat(SourceResourceActorPrincipalName)),|,extend,RegEx,=,strcat(@"^(",,strcat_array(RegEx"|"),,@")$")),;,AWSCloudTrail,|,where,EventName,==,"PutBucketLifecycle",|,extend,UserIdentityUserName,=,tostring(split(UserIdentityPrincipalid":")[1]),|,where,not(EventName,in,(_ExcludedEventNames),and,strcat(SessionIssuerUserNameUserIdentityUserName),matches,regex,_ExcludedRoleIdentityRegex),|,extend,RequestParameters,=,todynamic(RequestParameters),|,mv-expand,Rule,=,iff(isempty(array_length(RequestParameters["LifecycleConfiguration"]["Rule"])),,pack_array(RequestParameters["LifecycleConfiguration"]["Rule"]),,RequestParameters["LifecycleConfiguration"]["Rule"]),|,extend,ExpirationDays,=,toint(Rule["Expiration"]["Days"]),|,where,ExpirationDays,<,threshold_days,|,invoke,AWSIdentityRole(),|,project,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,ExpirationDays,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId,.

KQL Search