{"id":468,"date":"2024-09-14T04:26:51","date_gmt":"2024-09-14T04:26:51","guid":{"rendered":"https:\/\/www.seclink.info\/?p=468"},"modified":"2024-09-14T06:10:24","modified_gmt":"2024-09-14T06:10:24","slug":"cloud-secrets-management-stores","status":"publish","type":"post","link":"https:\/\/www.seclink.info\/cn\/cloud-secrets-management-stores\/","title":{"rendered":"Detection Rule Sharing: T1555.006 Cloud Secrets Management Stores"},"content":{"rendered":"<p>In this series of articles, we will explore TTP tactics based on the <strong>Mitre ATT&#038;CK framework<\/strong>, focusing on how to develop effective detection rules in different environments (cloud, enterprise, ICS) and scenarios. We will discuss practical <strong>attack scenarios<\/strong>, <strong>detection<\/strong>, <strong>response<\/strong>, and <strong>optimization<\/strong>.<\/p>\n<p>This is the first article in the series, primarily focusing on how to write detection rules for &#8220;<strong>T1555.006 Cloud Secrets Management Stores<\/strong>&#8220;, helping security teams enhance their defense capabilities in <strong>cloud environments<\/strong>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.seclink.info\/wp-content\/uploads\/2024\/09\/f7b61808-87c0-4702-a2bb-0143ea83aeae.webp\" alt=\"\"><\/p>\n<h2 id=\"-\">Introduction<\/h2>\n<p>The Mitre ATT&#038;CK framework divides the attack process into multiple stages, from <strong>Initial Access<\/strong>, <strong>Information Gathering<\/strong>, <strong>Privilege Escalation<\/strong> to <strong>Data Exfiltration<\/strong>. Each stage includes multiple tactics and techniques.<\/p>\n<p>Specifically, &#8220;<strong>In cloud environments, attackers may obtain cloud keys through various methods and use them for unauthorized access, further advancing the attack<\/strong>.&#8221; <\/p>\n<h3 id=\"-\">Category<\/h3>\n<ul>\n<li><p><strong>Tactic Name<\/strong>: Key Access<\/p>\n<\/li>\n<li><p><strong>Applicable Platforms<\/strong>: IaaS, Linux, Windows, macOS<\/p>\n<\/li>\n<\/ul>\n<h3 id=\"-\">Scenario<\/h3>\n<p><img decoding=\"async\" src=\"https:\/\/www.seclink.info\/wp-content\/uploads\/2024\/09\/ab6b2e9a-68ad-424a-ad82-b103eab46e6e.webp\" alt=\"\"><\/p>\n<p><strong>Cloud Key Storage (T1555.006)<\/strong>: Attackers may obtain keys from cloud-native secret management libraries. Cloud key storage is used to securely manage and access keys, passwords, and other sensitive information in cloud environments.<\/p>\n<h2 id=\"-\">Detection and Response<\/h2>\n<h3 id=\"-\">Case 1<\/h3>\n<p>Taking Azure Key Vault as an example, the following rule can detect whether a vault policy has been erroneously modified to be readable by a certain user group (low-privileged user group).<\/p>\n<pre><code>title: KeyVault Access Policy Changed to Low-Privileged or Open Permissions\nid: e54b3f3b-dccd-4ba9-bd8d-7c5f8a42b6f1\ndescription: Detects changes to KeyVault access policies where objectId or applicationId is modified to low-privileged or open access.\nreferences:\n    - https:\/\/docs.microsoft.com\/en-us\/azure\/key-vault\/general\/overview\nlogsource:\n    service: azure\n    product: azure\ndetection:\n    selection:\n        OperationName: 'Microsoft.KeyVault\/vaults\/accessPolicies\/write'\n    filter_low_privilege_object:\n        - RequestBody|contains: '\"objectId\":\"00000000-0000-0000-0000-000000000000\"' # replace with any specific low-privileged object ID\n        - RequestBody|contains: '\"applicationId\":\"*\"'\n        - RequestBody|contains: '\"applicationId\":\"00000000-0000-0000-0000-000000000000\"'  # replace with any specific low-privileged app ID\n    condition: selection and filter_low_privilege_object\nfields:\n    - TimeGenerated\n    - OperationName\n    - RequestBody\n    - Caller\n    - ResultDescription\nfalsepositives:\n    - Administrative changes where low-privilege access is expected (verify with security team)\nlevel: high\ntags:\n  - attack.defense_evasion\n  - attack.privilege_escalation\n  - attack.t1555.006\n<\/code><\/pre>\n<p><strong>Log Source<\/strong>: AKV Activity Log<\/p>\n<p><strong>Alert Level<\/strong>: High<\/p>\n<p><strong>False Positives<\/strong>: Administrative changes where low-privileged access is expected (verify with the security team)<\/p>\n<h3 id=\"-\">Case 2<\/h3>\n<p>Taking AWS Secrets Manager as an example, detecting access to secrets from uncommon IP addresses using CloudTrail logs.<\/p>\n<pre><code>title: Detection of Access Key Usage with AWS Secrets Manager\nid: 123e4567-e89b-12d3-a456-426614174006\ndescription: Detects AWS Secrets Manager access events and flags access keys for further analysis if they have not been used in the past 90 days. This rule helps identify potentially suspicious activity by capturing access events with specific keys.\nlogsource:\n  category: cloud\n  service: aws\n  product: cloudtrail\ndetection:\n  selection_secrets_manager_access:\n    eventSource: \"secretsmanager.amazonaws.com\"\n    eventName: \"GetSecretValue\"\n  condition: selection_secrets_manager_access\nfields:\n  - sourceIPAddress\n  - userIdentity.arn\n  - userIdentity.accessKeyId\n  - eventTime\n  - eventName\n  - eventSource\nfalsepositives:\n  - Admins accessing from a new IP.\n  - Legitimate activity from a newly provisioned service or newly rotated key.\nlevel: high\ntags:\n  - attack.initial_access\n  - attack.credential_access\n  - attack.t1552.001\n<\/code><\/pre>\n<p><strong>Log Source<\/strong>: AWS CloudTrail<\/p>\n<p><strong>Alert Level<\/strong>: High<\/p>\n<p><strong>False Positives<\/strong>:<\/p>\n<ul>\n<li>Admins accessing with a new key.<\/li>\n<li>Legitimate activity from a newly provisioned service or newly rotated key.<\/li>\n<\/ul>\n<h3 id=\"-\">Response Steps<\/h3>\n<ul>\n<li><p>Analyze the reason for the key access, check for related ticket records, and determine if it was a mistake or malicious behavior, and assess the impact scope.<\/p>\n<\/li>\n<li><p>Analyze the entity that triggered the policy change. Was it caused by a configuration error, human error, or external attack?<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"-\">Rule Conversion<\/h2>\n<p>We recommend using <strong>sigma-convert<\/strong> (<a href=\"https:\/\/github.com\/marirs\/sigma-convert\">https:\/\/github.com\/marirs\/sigma-convert<\/a>), or the online tool <strong>sigconverter<\/strong> (<a href=\"https:\/\/sigconverter.io\/\">https:\/\/sigconverter.io\/<\/a>), to convert Sigma rules into corresponding SIEM search queries. For example:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.seclink.info\/wp-content\/uploads\/2024\/09\/889778f5-8473-4e2d-ab90-b120374db680.webp\" alt=\"\"><\/p>\n<pre><code>eventSource=\"secretsmanager.amazonaws.com\" eventName=\"GetSecretValue\" \n| table sourceIPAddress,userIdentity.arn,userIdentity.accessKeyId,eventTime,eventName,eventSource\n<\/code><\/pre>\n<h2 id=\"-\">Disclaimer<\/h2>\n<p>The detection rules mentioned in this article are for <strong>learning and discussion purposes only<\/strong>. The sample rules and guidance provided do not constitute formal advice or solutions. Since each enterprise&#8217;s security environment and needs vary, we strongly recommend that companies modify these rules <strong>specifically<\/strong> and conduct <strong>thorough testing<\/strong> based on their actual circumstances and environments to ensure they meet your organization&#8217;s specific needs and security requirements.<\/p>\n<p>We assume no responsibility for any issues or losses that may arise from the use or implementation of these rules.<\/p>\n<h2 id=\"-\">References<\/h2>\n<ul>\n<li><p><strong>Mitre ATT&#038;CK for Cloud<\/strong>: <a href=\"https:\/\/attack.mitre.org\/matrices\/enterprise\/cloud\/\">https:\/\/attack.mitre.org\/matrices\/enterprise\/cloud\/<\/a><\/p>\n<\/li>\n<li><p><strong>AWS Well-Architected Framework<\/strong>: <a href=\"https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/welcome.html\">https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/welcome.html<\/a> introduces security best practices to help understand how to prevent and detect cloud key leakage.<\/p>\n<\/li>\n<li><p><strong>Azure Security Center<\/strong>: <a href=\"https:\/\/azuremarketplace.microsoft.com\/en-us\/marketplace\/apps\/microsoft.azuresecuritycenter?tab=overview\">https:\/\/azuremarketplace.microsoft.com\/en-us\/marketplace\/apps\/microsoft.azuresecuritycenter?tab=overview<\/a> provides security advice for Azure environments, which can be used to optimize detection rules.<\/p>\n<\/li>\n<li><p><strong>Google Cloud Security Best Practices<\/strong>: <a href=\"https:\/\/cloud.google.com\/security\/best-practices\">https:\/\/cloud.google.com\/security\/best-practices<\/a> provides security practices for Google Cloud, offering references for multi-cloud environments.<\/p>\n<\/li>\n<li><strong>Alibaba Cloud AK Leakage Detection<\/strong>: <a href=\"https:\/\/help.aliyun.com\/zh\/security-center\/user-guide\/detection-of-accesskey-pair-leaks\">https:\/\/help.aliyun.com\/zh\/security-center\/user-guide\/detection-of-accesskey-pair-leaks<\/a><\/li>\n<\/ul>\n<p>Follow <strong>SecLink Security Space<\/strong\n\n> for more exciting content.<\/p>","protected":false},"excerpt":{"rendered":"<p>In this series of articles, we will explore TTP tactics based on the Mitre ATT&#038;CK framework, focusing on how to develop effective detection rules in different environments (cloud, enterprise, ICS) and scenarios. We will discuss practical attack scenarios, detection, response, and optimization. This is the first article in the series, primarily focusing on how to write detection rules for &#8220;T1555.006 Cloud Secrets Management Stores&#8220;, helping security teams enhance their defense capabilities in cloud environments. Introduction The Mitre ATT&#038;CK framework divides the attack process into multiple stages, from Initial Access, Information Gathering, Privilege Escalation to Data Exfiltration. Each stage includes multiple tactics and techniques. Specifically, &#8220;In cloud environments, attackers may obtain cloud keys through various methods and use them for unauthorized&#8230;<\/p>","protected":false},"author":1,"featured_media":478,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[8,7,9,11],"class_list":["post-468","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techniques","tag-cloud","tag-mitre","tag-siem","tag-threat-blog"],"_links":{"self":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/comments?post=468"}],"version-history":[{"count":9,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/468\/revisions"}],"predecessor-version":[{"id":502,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/468\/revisions\/502"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/media\/478"}],"wp:attachment":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/media?parent=468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/categories?post=468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/tags?post=468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}