Hello,
I am trying to create a detection of the AWS exploitation tool Pacu.py. It is to detect the use of the enumeration tool within Pacu.py, which executes the following AWS commands in less than a second:
Timeframe:
Each command generates a separate event so I was wondering if it is possible to create a search which detects these command executed from the same account within a 1 second timeframe? I am unsure how to specify a time window so if you could help, that would be greatly appreciated.
Query
index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies" | table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command
Many Thanks
The most straightforward method may be transaction. Since you are looking at a specific tool, I assume that there is an order of execution, e.g.,
Given these assumptions, you can do something like
index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies"
```| table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command```
| transaction aws_account_id startswith=command=="ListUserPolicies" endswith=command=="ListAttachedUserPolicies" maxspan=1s mvlist=command
| where mvjoin(command, ",") == "ListUserPolicies,GetCallerIdentity,ListGroupsForUser,ListAttachedUserPolicies"
maxspan limits elapsed time from the first command to the last command. The where filter is to constrain the order of execution.