Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to detect four commands run within a 1 second time window?

garryplewson
Observer
‎05-26-2022 02:11 AM

Hello, 

I am trying to create a detection of the AWS exploitation tool Pacu.py. It is to detect the use of the enumeration tool within Pacu.py, which executes the following AWS commands in less than a second:

  • ListUserPolicies
  • GetCallerIdentity
  • ListGroupsForUser
  • ListAttachedUserPolicies

Timeframe:

  • First Event: 2022-05-19 10:02:25
  • Last Event: 2022-05-19 10:02:26

Each command generates a separate event so I was wondering if it is possible to create a search which detects these command executed from the same account within a 1 second timeframe?  I am unsure how to specify a time window so if you could help, that would be greatly appreciated. 

Query

index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies" | table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command

Many Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-28-2022 08:36 PM

The most straightforward method may be transaction.  Since you are looking at a specific tool, I assume that there is an order of execution, e.g., 

  1. ListUserPolicies
  2. GetCallerIdentity
  3. ListGroupsForUser
  4. ListAttachedUserPolicies

Given these assumptions, you can do something like

index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies"
```| table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command```
| transaction aws_account_id startswith=command=="ListUserPolicies" endswith=command=="ListAttachedUserPolicies" maxspan=1s mvlist=command
| where mvjoin(command, ",") == "ListUserPolicies,GetCallerIdentity,ListGroupsForUser,ListAttachedUserPolicies"

maxspan limits elapsed time from the first command to the last command.  The where filter is to constrain the order of execution.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...