Splunk Search

How to detect four commands run within a 1 second time window?

garryplewson
Observer

Hello, 

I am trying to create a detection of the AWS exploitation tool Pacu.py. It is to detect the use of the enumeration tool within Pacu.py, which executes the following AWS commands in less than a second:

  • ListUserPolicies
  • GetCallerIdentity
  • ListGroupsForUser
  • ListAttachedUserPolicies

Timeframe:

  • First Event: 2022-05-19 10:02:25
  • Last Event: 2022-05-19 10:02:26

Each command generates a separate event so I was wondering if it is possible to create a search which detects these command executed from the same account within a 1 second timeframe?  I am unsure how to specify a time window so if you could help, that would be greatly appreciated. 

Query

index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies" | table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command

Many Thanks

Labels (1)
Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

The most straightforward method may be transaction.  Since you are looking at a specific tool, I assume that there is an order of execution, e.g., 

  1. ListUserPolicies
  2. GetCallerIdentity
  3. ListGroupsForUser
  4. ListAttachedUserPolicies

Given these assumptions, you can do something like

index="aws-cloudtrail" "GetCallerIdentity" OR "ListUserPolicies" OR "ListGroupsForUser" OR "ListAttachedUserPolicies"
```| table _time, principalId, userName, aws_account_id, sourceIPAddress, user_agent, command```
| transaction aws_account_id startswith=command=="ListUserPolicies" endswith=command=="ListAttachedUserPolicies" maxspan=1s mvlist=command
| where mvjoin(command, ",") == "ListUserPolicies,GetCallerIdentity,ListGroupsForUser,ListAttachedUserPolicies"

maxspan limits elapsed time from the first command to the last command.  The where filter is to constrain the order of execution.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...