Indications of malicious trust anchor creation

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a trust anchor and profile are created using AWS IAM Roles Anywhere by the same identity.

Strategy

This rule lets you monitor CloudTrail logs for CreateTrustAnchor and CreateProfile events using AWS IAM Roles Anywhere.

The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, represented as a trust anchor. An attacker creating a trust anchor can subsequently assume IAM roles that have a trust policy with IAM Roles Anywhere.

Triage and response

  1. Determine if the user, {{@userIdentity.arn}}, should be generating a new trust anchor.
  2. Investigate the user behavior and access information:
    • Review the user agent, IP address, and other identifying information for evidence of an abnormal access.
    • Look at additional events, such as {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} triggering CreateSession during the surrounding timeframe. The related events can be searched for in Roles Anywhere logs: @eventSource:rolesanywhere.amazonaws.com.
  3. If the behavior is abnormal for the user and your environment:
    • Rotate the credentials.
    • Investigate if the same credentials took other unauthorized actions.
    • Begin your company’s IR process and investigate.

References