Threat Hunting on AWS using Azure Sentinel
Download as PPTX, PDF0 likes689 views
This document provides information about an Azure Sentinel webinar on threat hunting on AWS using Azure Sentinel. It includes an agenda for the webinar with topics like AWS CloudTrail, customizable workbooks, built-in queries and analytics rules. It also provides links for questions, recordings, feedback and the community forum.
Threat Hunting on AWS using Azure Sentinel
- 1. Welcome to the Azure Sentinel webinar We will start at 2-3 minutes after the scheduled time to accommodate those still connecting. Questions? Feel free to type them in the instant message window at any time. Note that any questions you post will be public. You have the option to post questions anonymously. After the webinar, you can ask questions at https://aka.ms/AzureSentinelCommunity. This webinar is being recorded. We’ll post the recordings to our community forums at https://aka.ms/SecurityWebinars. Please give us your feedback on this webinar at https://aka.ms/SecurityCommunityWebinarFeedback. Join our Community: https://aka.ms/SecurityCommunity
- 2. Threat Hunting on AWS using Azure Sentinel
- 3. AWS CloudTrail Customizable workbooks Built-in queries and analytics rules Blog Link
- 6. Introduction to AWS Data Sources
- 7. Data Source Preferred Log Destination CloudTrail CloudTrail/S3 S3 Access Logs/Object Level Logging S3 VPC Flow Logs S3 ELB Access Logs S3 Route 53 DNS Logs S3 SecurityHub Finding Format (ASFF) S3
- 8. Connect Azure Sentinel to AWS CloudTrail
- 9. Serverless Simple Cheap Logic Apps Azure Functions using PowerShell ~ Logstash
- 16. MITRE ATT&CK Framework Use Cases for AWS
- 18. BACKDOOR BEHAVIOR CRYPTOCURRENCY RECON TROJAN UNAUTHORIZEDACCESS Spambot NetworkPortUnusual BitcoinTool.B!DNS PortProbeUnprotectedPort BlackholeTraffic SSHBruteForce C&CActivity.B!DNS TrafficVolumeUnusual BitcoinTool.B Portscan DropPoint RDPBruteForce DenialOfService.Tcp PortProbeEMRUnprotectedPort BlackholeTraffic!DNS TorIPCaller DenialOfService.Udp DriveBySourceTraffic!DNS MaliciousIPCaller.Custom DenialOfService.Dns DropPoint!DNS TorClient DenialOfService.UdpOnTcpPorts DGADomainRequest.B TorRelay DenialOfService.UnusualProtocol DGADomainRequest.C!DNS MetadataDNSRebind DNSDataExfiltration PhishingDomainRequest!DNS RECON UNAUTHORIZED ACCESS PENTEST PERSISTENCE POLICY PRIVILEGE ESCALATION RESOURCE CONSUMPTION STEALTH TorIPCaller TorIPCaller KaliLinux NetworkPermissions S3BlockPublic AccessDisabled Administrative Permissions ComputeResources S3ServerAccessLogging Disabled MaliciousIPCaller.Custom MaliciousIPCaller.Custom ParrotLinux ResourcePermissions RootCredentialUsage PasswordPolicyChange MaliciousIPCaller ConsoleLoginSuccess.B PentooLinux UserPermissions CloudTrailLoggingDisabled NetworkPermissions MaliciousIPCaller LoggingConfiguration Modified ResourcePermissions ConsoleLogin UserPermissions InstanceCredential Exfiltration Low Medium High
- 19. Failed AzureAD logons but success logon to AWS Console New UserAgent observed in last 24 hours Changes to internet facing AWS RDS Database instances Changes to Amazon VPC settings Login to AWS Management Console without MFA MFA disabled for a user Tracking Privileged Account Rare Activity Suspicious Data Access to S3 Bucket from Unknown IP S3 Bucket outbound Data transfer anomaly Failed AWS Console logons but success logon to AzureAD Exploit and Pentest Framework User Agent Changes to AWS Elastic Load Balancer security groups Tracking Privileged Account Rare Activity Changes to Amazon VPC settings Failed AzureAD logons but success logon to AWS Console Monitor AWS Credential abuse or hijacking Login to AWS Management Console without MFA Changes to AWS Security Group ingress and egress settings Changes made to AWS IAM policy Changes made to AWS IAM policy Failed AWS Console logons but success logon to AzureAD Changes to Amazon VPC settings Privileged role attached to Instance Suspicious credential token access of valid IAM Roles Known IRIDIUM IP Suspicious credential token access of valid IAM Roles Changes made to AWS CloudTrail logs (Preview) TI map IP entity to AWSCloudTrail New UserAgent observed in last 24 hours Exploit and Pentest Framework User Agent Known IRIDIUM IP (Preview) TI map IP entity to AWSCloudTrail INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE ESCALATION DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY COLLECTION EXFILTRATION Low Medium High HuntingQuery
- 20. Demo : Threat Hunting on Leaked Access key/Compromised user
- 22. • 4/20/2020, 4:32:08.000 AM: CreateRole • 4/20/2020, 4:32:08.000 AM: CreatePolicy • 4/20/2020, 4:32:12.000 AM: AttachRolePolicy • 4/20/2020, 5:08:51.000 AM: ListInstanceProfile • 4/20/2020, 5:10:08.000 AM : ListRole • 4/20/2020, 5:12:32.000 AM: RemoveRoleToInstance • 4/20/2020, 5:13:28.000 AM: AddRoleToInstance • 4/20/2020, 9:10:45.000 AM: Create Key Pair • 4/20/2020, 9:25:13.000 AM: DescribeInstances • 4/20/2020, 9:15:20.000 AM: Run Instances • 4/20/2020, 9:26:47.000 AM: TerminateInstances iam_privesc_by_attachment
- 24. Azure for AWS Professionals What is AWS CloudTrail ? MITRE ATT&CK Enterprise Matrix OSSEM : Data dictionary for AWS Cloud Data sources Guardduty Active Finding Types Cloudgoat Scenario : iam_privesc_by_attachment
- 25. Thank You for Joining Us! Recordings will be posted to our community forums at https://aka.ms/SecurityWebinars. You can ask additional questions at https://aka.ms/AzureSentinelCommunity. Please give us your feedback on this webinar at https://aka.ms/SecurityCommunityWebinarFeedback. Join our Community: https://aka.ms/SecurityCommunity For any questions or comments on our documentation (https://docs.microsoft.com) contact directly at MSsecuritydocs@microsoft.com
Editor's Notes
- #10: Logic Apps is very simple, but for high volumes can be expensive Azure Functions is much cheaper, but has a steeper learning curve, even if using PowerShell as the programming language. Logstash is a popular choice but requires a VM to run on