ID | Technique | Tactic |
---|---|---|
T1078.004 | Cloud Accounts | Defense Evasion |
T1078 | Valid Accounts | Initial Access |
Detection: Cloud Compute Instance Created By Previously Unseen User
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.
Search
1
2| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region
3| `drop_dm_object_name("All_Changes")`
4| lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
5| eventstats max(enough_data) as enough_data
6| where enough_data=1
7| eval firstTimeSeenUser=min(firstTimeSeen)
8| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
9| table firstTime, user, dest, count vendor_region
10| `security_content_ctime(firstTime)`
11| `cloud_compute_instance_created_by_previously_unseen_user_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail | AWS | 'aws:cloudtrail' |
'aws_cloudtrail' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
cloud_compute_instance_created_by_previously_unseen_user_filter | search * |
cloud_compute_instance_created_by_previously_unseen_user_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.
Known False Positives
It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
User $user$ is creating a new instance $dest$ for the first time | 18 | 30 | 60 |
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Integration | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4