This week's new Enterprise Security Content Updates (ESCU) app is hot off the presses, complete with two new cloud-security stories and several new searches. Read on for some highlights. (TL;DR? Download the Splunk ES Content Update from Splunkbase now!)
Unusual AWS EC2 Modifications
If threat actors gain access to your AWS console, they can spin up or modify instances and move laterally, infecting servers and otherwise wreaking havoc across your network. So it's vital to stay alert to changes that may indicate that your environment has been compromised.
One important factor to stay vigilant of is user behavior. For example, it's unusual—sometimes even suspicious—for unknown users to start spinning up instances within your AWS environment. Likewise, if a known user starts modifying instances in ways that are outside of her customary pattern, this could also be an indication that you may need to take a closer look.
This Analytic Story can help you stay alert to these issues by monitoring for EC2 instances that have been created or changed, either by users that have never previously performed these activities or by known users who modify or create instances in a way they have not done in the past. While these situations are not always malicious, they may warrant deeper investigation.
- A detection search for EC2 instances modified by users who have not previously performed such activities
- A contextual search that queries AWS description logs and returns all the information about a specific instance via the instanceId field
- An investigative search that lists all the logged CloudTrail activities by a specific user ARN
Data sources required:
- • AWS CloudTrail logs
Disabling Security Tools
Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a blacklist (which would prevent them from running).
This Analytic Story searches for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve suspicious registry activity (as this is where much of the configuration for Windows and various other programs is stored) or explicit attempts to shut down security-related services.
- A search that attempts to add a certificate to the untrusted store and another that attempts to stop the security service
- Detection of processes launching netsh
- Detection of suspicious reg.exe processes
- Searches for the names of processes and parent processes
Data sources required:
- • Logs with the process name, command-line arguments, and parent process from your endpoints