[New Rule] AWS S3 Bucket Ransom Note Uploaded #3604

terrancedejesus · 2024-04-18T02:19:39Z

Issues

https://github.com/elastic/ia-trade-team/issues/358

Summary

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call
with a common ransomware note file extension such as .txt, .note, .ransom, or .lock. Adversaries with access to
a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

PutObject Example Event

{
  "_index": ".ds-logs-aws.cloudtrail-default-2024.05.06-000002",
  "_id": "e3ce95d475-000000346284",
  "_score": 1,
  "fields": {
    "aws.cloudtrail.request_parameters.text": [
      "{bucketName=stratus-red-team-ransomware-bucket-fhumti, x-id=PutObject, Host=stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com, key=FILES-DELETED.txt}"
    ],
    "aws.cloudtrail.flattened.additional_eventdata": [
      {
        "SignatureVersion": "SigV4",
        "CipherSuite": "TLS_AES_128_GCM_SHA256",
        "bytesTransferredIn": 230,
        "SSEApplied": "Default_SSE_S3",
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "Fw8a7tg+1+5ow/cjXQ6XgYbm5LcIQyAcWK95AiGIObII9tzz1QkwMQd/5IITKIaO0QIvLodrU/0=",
        "bytesTransferredOut": 0
      }
    ],
    "elastic_agent.version": [
      "8.13.2"
    ],
    "tls.version_protocol": [
      "tls"
    ],
    "user_agent.original.text": [
      "[stratus-red-team_995b14d8-ecd5-4883-8faf-bb5e9d235ee7]"
    ],
    "aws.cloudtrail.flattened.response_elements": [
      {
        "x-amz-server-side-encryption": "AES256",
        "x-amz-version-id": "bSpH4eh5YU_A6R56qMGjd_dnOMtuzKC9"
      }
    ],
    "aws.cloudtrail.additional_eventdata": [
      "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=230, SSEApplied=Default_SSE_S3, AuthenticationMethod=AuthHeader, x-amz-id-2=Fw8a7tg+1+5ow/cjXQ6XgYbm5LcIQyAcWK95AiGIObII9tzz1QkwMQd/5IITKIaO0QIvLodrU/0=, bytesTransferredOut=0}"
    ],
    "aws.cloudtrail.response_elements": [
      "{x-amz-server-side-encryption=AES256, x-amz-version-id=bSpH4eh5YU_A6R56qMGjd_dnOMtuzKC9}"
    ],
    "agent.name.text": [
      "ip-172-31-95-103"
    ],
    "source.geo.region_name": [
      "Ohio"
    ],
    "source.ip": [
      "24.140.110.160"
    ],
    "agent.name": [
      "ip-172-31-95-103"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "source.geo.region_iso_code": [
      "US-OH"
    ],
    "aws.cloudtrail.management_event": [
      "false"
    ],
    "event.kind": [
      "event"
    ],
    "aws.cloudtrail.user_identity.arn": [
      "arn:aws:iam::891377031307:user/stratus"
    ],
    "event.outcome": [
      "success"
    ],
    "source.geo.city_name": [
      "Massillon"
    ],
    "tls.version": [
      "1.3"
    ],
    "user_agent.original": [
      "[stratus-red-team_995b14d8-ecd5-4883-8faf-bb5e9d235ee7]"
    ],
    "event.original": [
      "{\"eventVersion\":\"1.09\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDA47CRWDCFTQGUB5FBF\",\"arn\":\"arn:aws:iam::891377031307:user/stratus\",\"accountId\":\"891377031307\",\"accessKeyId\":\"AKIA47CRWDCFXZ3V7UXR\",\"userName\":\"stratus\"},\"eventTime\":\"2024-06-02T14:23:21Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"PutObject\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"24.140.110.160\",\"userAgent\":\"[stratus-red-team_995b14d8-ecd5-4883-8faf-bb5e9d235ee7]\",\"requestParameters\":{\"bucketName\":\"stratus-red-team-ransomware-bucket-fhumti\",\"Host\":\"stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com\",\"key\":\"FILES-DELETED.txt\",\"x-id\":\"PutObject\"},\"responseElements\":{\"x-amz-server-side-encryption\":\"AES256\",\"x-amz-version-id\":\"bSpH4eh5YU_A6R56qMGjd_dnOMtuzKC9\"},\"additionalEventData\":{\"SignatureVersion\":\"SigV4\",\"CipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"bytesTransferredIn\":230,\"SSEApplied\":\"Default_SSE_S3\",\"AuthenticationMethod\":\"AuthHeader\",\"x-amz-id-2\":\"Fw8a7tg+1+5ow/cjXQ6XgYbm5LcIQyAcWK95AiGIObII9tzz1QkwMQd/5IITKIaO0QIvLodrU/0=\",\"bytesTransferredOut\":0},\"requestID\":\"FJV8AB29ES77QPJX\",\"eventID\":\"958d276a-15fd-4901-aa67-b13ec9c9d8d9\",\"readOnly\":false,\"resources\":[{\"type\":\"AWS::S3::Object\",\"ARN\":\"arn:aws:s3:::stratus-red-team-ransomware-bucket-fhumti/FILES-DELETED.txt\"},{\"accountId\":\"891377031307\",\"type\":\"AWS::S3::Bucket\",\"ARN\":\"arn:aws:s3:::stratus-red-team-ransomware-bucket-fhumti\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":false,\"recipientAccountId\":\"891377031307\",\"eventCategory\":\"Data\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com\"}}"
    ],
    "cloud.region": [
      "us-east-1"
    ],
    "user.id": [
      "AIDA47CRWDCFTQGUB5FBF"
    ],
    "input.type": [
      "aws-s3"
    ],
    "log.offset": [
      346284
    ],
    "user_agent.name": [
      "Other"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "stratus"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "aws-cloudtrail"
    ],
    "event.provider": [
      "s3.amazonaws.com"
    ],
    "agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-06-02T14:24:34.038Z"
    ],
    "aws.cloudtrail.event_version": [
      "1.09"
    ],
    "agent.version": [
      "8.13.2"
    ],
    "source.as.number": [
      12097
    ],
    "aws.cloudtrail.read_only": [
      false
    ],
    "aws.cloudtrail.event_category": [
      "Data"
    ],
    "aws.cloudtrail.user_identity.type": [
      "IAMUser"
    ],
    "aws.s3.bucket.arn": [
      "arn:aws:s3:::asperitas-security-logs"
    ],
    "aws.cloudtrail.recipient_account_id": [
      "891377031307"
    ],
    "aws.cloudtrail.request_id": [
      "FJV8AB29ES77QPJX"
    ],
    "tls.cipher": [
      "TLS_AES_128_GCM_SHA256"
    ],
    "user.name": [
      "stratus"
    ],
    "source.geo.location": [
      {
        "coordinates": [
          -81.4971,
          40.8133
        ],
        "type": "Point"
      }
    ],
    "source.address": [
      "24.140.110.160"
    ],
    "aws.cloudtrail.flattened.request_parameters": [
      {
        "bucketName": "stratus-red-team-ransomware-bucket-fhumti",
        "x-id": "PutObject",
        "Host": "stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com",
        "key": "FILES-DELETED.txt"
      }
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "aws"
    ],
    "source.geo.country_iso_code": [
      "US"
    ],
    "aws.cloudtrail.response_elements.text": [
      "{x-amz-server-side-encryption=AES256, x-amz-version-id=bSpH4eh5YU_A6R56qMGjd_dnOMtuzKC9}"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "aws.cloudtrail.event_type": [
      "AwsApiCall"
    ],
    "aws.s3.bucket.name": [
      "asperitas-security-logs"
    ],
    "source.as.organization.name.text": [
      "MASSCOM"
    ],
    "elastic_agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "source.as.organization.name": [
      "MASSCOM"
    ],
    "source.geo.continent_name": [
      "North America"
    ],
    "aws.cloudtrail.additional_eventdata.text": [
      "{SignatureVersion=SigV4, CipherSuite=TLS_AES_128_GCM_SHA256, bytesTransferredIn=230, SSEApplied=Default_SSE_S3, AuthenticationMethod=AuthHeader, x-amz-id-2=Fw8a7tg+1+5ow/cjXQ6XgYbm5LcIQyAcWK95AiGIObII9tzz1QkwMQd/5IITKIaO0QIvLodrU/0=, bytesTransferredOut=0}"
    ],
    "tls.client.server_name": [
      "stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com"
    ],
    "event.action": [
      "PutObject"
    ],
    "event.ingested": [
      "2024-06-02T14:24:38Z"
    ],
    "@timestamp": [
      "2024-06-02T14:23:21.000Z"
    ],
    "cloud.account.id": [
      "891377031307"
    ],
    "aws.cloudtrail.user_identity.access_key_id": [
      "AKIA47CRWDCFXZ3V7UXR"
    ],
    "data_stream.dataset": [
      "aws.cloudtrail"
    ],
    "event.type": [
      "info"
    ],
    "log.file.path": [
      "https://asperitas-security-logs.s3.us-east-1.amazonaws.com/AWSLogs/891377031307/CloudTrail/us-east-1/2024/06/02/891377031307_CloudTrail_us-east-1_20240602T1425Z_OhKx2Q26KuHGGckK.json.gz"
    ],
    "agent.ephemeral_id": [
      "69b4fa20-756a-4d41-8325-7613b13a01b2"
    ],
    "aws.cloudtrail.request_parameters": [
      "{bucketName=stratus-red-team-ransomware-bucket-fhumti, x-id=PutObject, Host=stratus-red-team-ransomware-bucket-fhumti.s3.us-east-1.amazonaws.com, key=FILES-DELETED.txt}"
    ],
    "event.id": [
      "958d276a-15fd-4901-aa67-b13ec9c9d8d9"
    ],
    "source.geo.country_name": [
      "United States"
    ],
    "user_agent.device.name": [
      "Other"
    ],
    "aws.s3.object.key": [
      "AWSLogs/891377031307/CloudTrail/us-east-1/2024/06/02/891377031307_CloudTrail_us-east-1_20240602T1425Z_OhKx2Q26KuHGGckK.json.gz"
    ],
    "event.dataset": [
      "aws.cloudtrail"
    ],
    "user.name.text": [
      "stratus"
    ]
  }
}

…som Note Replacement'

rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml

…nsomware_note_added.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

terrancedejesus · 2024-06-05T19:36:17Z

@imays11 - Although approved, please re-review this PR. I changed it from a sequence to ESQL focusing only on the ransom note upload as discussed in #3604 (comment). Thanks!

imays11

Looks good

Aegrah

That looks good to me! Discussed with Terrance to remove some additional regex searches that are common from the query.

* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement' * fixed technique mapping * added investigation guide; added more ransom note extensions * adjusted lookback and maxspan * added API call to second sequence * updating date * Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * changed rule to ESQL; updated investigation guide * changed file name * removed txt, ecc, and note --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 62eea77)

new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ran…

6aae139

…som Note Replacement'

terrancedejesus added Integration: AWS AWS related rules Domain: Cloud Rule: New Proposal for new rule Area: RAD labels Apr 18, 2024

terrancedejesus self-assigned this Apr 18, 2024

terrancedejesus added 3 commits April 17, 2024 22:27

fixed technique mapping

bd1f87e

added investigation guide; added more ransom note extensions

1d99d73

adjusted lookback and maxspan

e4fb49e

terrancedejesus requested review from w0rk3r, DefSecSentinel, imays11, Samirbous and Aegrah June 1, 2024 14:32

terrancedejesus marked this pull request as ready for review June 1, 2024 14:32

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

042838d

github-actions bot added the backport: auto label Jun 1, 2024

terrancedejesus and others added 3 commits June 1, 2024 10:36

added API call to second sequence

2d6f497

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

08b0d96

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

3c0d223

terrancedejesus commented Jun 2, 2024

View reviewed changes

rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml Outdated Show resolved Hide resolved

updating date

e0ab1fb

imays11 approved these changes Jun 4, 2024

View reviewed changes

Aegrah reviewed Jun 5, 2024

View reviewed changes

terrancedejesus and others added 3 commits June 5, 2024 10:25

Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ra…

1718592

…nsomware_note_added.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ra…

f2f8fe5

…nsomware_note_added.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

45abf53

terrancedejesus marked this pull request as draft June 5, 2024 14:33

changed rule to ESQL; updated investigation guide

51072e5

terrancedejesus changed the title ~~[New Rule] AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement~~ [New Rule] AWS S3 Bucket Ransom Note Uploaded Jun 5, 2024

terrancedejesus requested review from imays11 and Aegrah June 5, 2024 19:30

terrancedejesus marked this pull request as ready for review June 5, 2024 19:35

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

c4000a4

terrancedejesus and others added 2 commits June 5, 2024 15:42

changed file name

b8bc164

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

1834dc2

imays11 approved these changes Jun 6, 2024

View reviewed changes

terrancedejesus added 4 commits June 6, 2024 15:39

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

a216ae6

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

889a7f8

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

d94ecb7

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

a82bc11

Aegrah approved these changes Jun 10, 2024

View reviewed changes

terrancedejesus and others added 2 commits June 10, 2024 10:37

removed txt, ecc, and note

3dfab5f

Merge branch 'main' into new-rule-aws-s3-ransomware-deletion-and-note

93de3c4

terrancedejesus merged commit 62eea77 into main Jun 10, 2024
9 checks passed

terrancedejesus deleted the new-rule-aws-s3-ransomware-deletion-and-note branch June 10, 2024 14:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] AWS S3 Bucket Ransom Note Uploaded #3604

[New Rule] AWS S3 Bucket Ransom Note Uploaded #3604

terrancedejesus commented Apr 18, 2024 •

edited

Loading

terrancedejesus commented Jun 5, 2024

imays11 left a comment

Aegrah left a comment

[New Rule] AWS S3 Bucket Ransom Note Uploaded #3604

[New Rule] AWS S3 Bucket Ransom Note Uploaded #3604

Conversation

terrancedejesus commented Apr 18, 2024 • edited Loading

Issues

Summary

terrancedejesus commented Jun 5, 2024

imays11 left a comment

Choose a reason for hiding this comment

Aegrah left a comment

Choose a reason for hiding this comment

terrancedejesus commented Apr 18, 2024 •

edited

Loading