update events and add new events from pepperclipp blog post (#26)

adanalvarez · Feb 15, 2025 · e575af3 · e575af3
1 parent 5c578cb
commit e575af3
Show file tree

Hide file tree

Showing 17 changed files with 479 additions and 7 deletions.
diff --git a/docs/events.csv b/docs/events.csv
diff --git a/docs/events.json b/docs/events.json
@@ -6924,6 +6924,68 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext"
     },
+    {
+        "eventName": "PutKeyPolicy",
+        "eventSource": "kms.amazonaws.com",
+        "awsService": "KMS",
+        "description": "Attaches a key policy to the specified KMS key.",
+        "mitreAttackTactics": [
+            "TA0040 - Impact"
+        ],
+        "mitreAttackTechniques": [
+            "T1486 - Data Encrypted for Impact"
+        ],
+        "mitreAttackSubTechniques": [],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
+        "securityImplications": "Attackers might put a new key polocy to modify the policy of a current KMS Key and lock the data for ransomware attacks.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws kms put-key-policy --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --policy-name default --policy \"{\"Version\":\"2012-10-17\",\"Id\":\"key-default-1\",\"Statement\":[{\"Sid\":\"Enable IAM User Permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:root\"},\"Action\":\"kms:*\",\"Resource\":\"*\"}]}\""
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/kms#kms-PutKeyPolicy"
+    },
+    {
+        "eventName": "DescribeKey",
+        "eventSource": "kms.amazonaws.com",
+        "awsService": "KMS",
+        "description": "Provides detailed information about a KMS key.",
+        "mitreAttackTactics": [
+            "TA0007 - Discovery"
+        ],
+        "mitreAttackTechniques": [
+            "T1526 - Cloud Service Discovery"
+        ],
+        "mitreAttackSubTechniques": [],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
+        "securityImplications": "Attackers might use DescribeKey to check information of KMS keys in ransomware attacks.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/kms#kms-DescribeKey"
+    },
     {
         "eventName": "ScheduleKeyDeletion",
         "eventSource": "kms.amazonaws.com",
@@ -7010,7 +7072,12 @@
                 "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"
             }
         ],
-        "researchLinks": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
         "securityImplications": "Attackers might use Encrypt to encrypt data for ransom.",
         "alerting": [],
         "simulation": [
@@ -7021,6 +7088,37 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/kms#kms-Encrypt"
     },
+    {
+        "eventName": "CreateKey",
+        "eventSource": "kms.amazonaws.com",
+        "awsService": "KMS",
+        "description": "Creates a unique customer managed KMS key in your AWS account and Region.",
+        "mitreAttackTactics": [
+            "TA0040 - Impact"
+        ],
+        "mitreAttackTechniques": [
+            "T1486 - Data Encrypted for Impact"
+        ],
+        "mitreAttackSubTechniques": [],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
+        "securityImplications": "Attackers might create keys only accessible by the identity they have compromised, for later encrypt data and delete access to it for ransomware attacks.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws kms create-key"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/kms#kms-CreateKey"
+    },
     {
         "eventName": "LookupEvents",
         "eventSource": "cloudtrail.amazonaws.com",
@@ -7672,7 +7770,12 @@
                 "link": "https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack"
             }
         ],
-        "researchLinks": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
         "securityImplications": "Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.",
         "alerting": [],
         "simulation": [
@@ -8325,6 +8428,10 @@
             {
                 "description": "S3 Streaming Copy",
                 "link": "https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/"
+            },
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
             }
         ],
         "securityImplications": "Attackers might use GetObject to download data from S3 buckets.",
@@ -8655,6 +8762,37 @@
         ],
         "permissions": "N/A"
     },
+    {
+        "eventName": "PutBucketEncryption",
+        "eventSource": "s3.amazonaws.com",
+        "awsService": "S3",
+        "description": "This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket.",
+        "mitreAttackTactics": [
+            "TA0040 - Impact"
+        ],
+        "mitreAttackTechniques": [
+            "T1486 - Data Encrypted for Impact"
+        ],
+        "mitreAttackSubTechniques": [],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+                "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+            }
+        ],
+        "securityImplications": "Attackers might use PutBucketEncryption to set the KMS key to one it controls for ransomware.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{\"Rules\":[{\"ApplyServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\"}}]}'"
+            }
+        ],
+        "permissions": "N/A"
+    },
     {
         "eventName": "ListVaults",
         "eventSource": "glacier.amazonaws.com",

diff --git a/docs/logExamples/CreateKey.json.cloudtrail b/docs/logExamples/CreateKey.json.cloudtrail
@@ -0,0 +1,47 @@
+[
+   {
+      "awsRegion": "us-east-1",
+      "errorCode": "AccessDenied",
+      "errorMessage": "User: arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez is not authorized to perform: kms:CreateKey on resource: * because no identity-based policy allows the kms:CreateKey action",
+      "eventCategory": "Management",
+      "eventID": "6f4babb4-aac4-4664-a2e6-1ce8c9baac2b",
+      "eventName": "CreateKey",
+      "eventSource": "kms.amazonaws.com",
+      "eventTime": "2025-02-15T14:51:04Z",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.11",
+      "managementEvent": true,
+      "readOnly": false,
+      "recipientAccountId": "345594607949",
+      "requestID": "6542de57-ab9c-43e2-9532-738cc50c76db",
+      "requestParameters": null,
+      "responseElements": null,
+      "sourceIPAddress": "46.6.38.8",
+      "tlsDetails": {
+         "cipherSuite": "TLS_AES_256_GCM_SHA384",
+         "clientProvidedHostHeader": "kms.us-east-1.amazonaws.com",
+         "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_a35c5710-8a0e-4a58-b124-508fa7267cbd cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#kms.create-key",
+      "userIdentity": {
+         "accessKeyId": "ASIAVA5YLHFG22UNOASA",
+         "accountId": "345594607949",
+         "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez",
+         "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez",
+         "sessionContext": {
+            "attributes": {
+               "creationDate": "2025-02-15T14:50:08Z",
+               "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+               "accountId": "345594607949",
+               "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50",
+               "principalId": "AROAVA5YLHFGXTTEWKGQX",
+               "type": "Role",
+               "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50"
+            }
+         },
+         "type": "AssumedRole"
+      }
+   }
+]
diff --git a/docs/logExamples/DescribeKey.json.cloudtrail b/docs/logExamples/DescribeKey.json.cloudtrail
@@ -0,0 +1,47 @@
+[
+   {
+      "awsRegion": "us-east-1",
+      "errorCode": "NotFoundException",
+      "errorMessage": "Key 'arn:aws:kms:us-east-1:345594607949:key/1234abcd-12ab-34cd-56ef-1234567890ab' does not exist",
+      "eventCategory": "Management",
+      "eventID": "82afc1f2-b6aa-48dd-bab5-86bbbefb46ac",
+      "eventName": "DescribeKey",
+      "eventSource": "kms.amazonaws.com",
+      "eventTime": "2025-02-15T14:52:52Z",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.11",
+      "managementEvent": true,
+      "readOnly": true,
+      "recipientAccountId": "345594607949",
+      "requestID": "d9ab4ab3-911c-4627-86fd-2c8216f39fc1",
+      "requestParameters": null,
+      "responseElements": null,
+      "sourceIPAddress": "46.6.38.8",
+      "tlsDetails": {
+         "cipherSuite": "TLS_AES_256_GCM_SHA384",
+         "clientProvidedHostHeader": "kms.us-east-1.amazonaws.com",
+         "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_f1febf2d-7a30-413e-86a0-19e718b2faad cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#kms.describe-key",
+      "userIdentity": {
+         "accessKeyId": "ASIAVA5YLHFG22UNOASA",
+         "accountId": "345594607949",
+         "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez",
+         "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez",
+         "sessionContext": {
+            "attributes": {
+               "creationDate": "2025-02-15T14:50:08Z",
+               "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+               "accountId": "345594607949",
+               "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50",
+               "principalId": "AROAVA5YLHFGXTTEWKGQX",
+               "type": "Role",
+               "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50"
+            }
+         },
+         "type": "AssumedRole"
+      }
+   }
+]
diff --git a/docs/logExamples/PutBucketEncryption.json.cloudtrail b/docs/logExamples/PutBucketEncryption.json.cloudtrail
@@ -0,0 +1 @@
+[]
diff --git a/docs/logExamples/PutKeyPolicy.json.cloudtrail b/docs/logExamples/PutKeyPolicy.json.cloudtrail
@@ -0,0 +1 @@
+[]
diff --git a/events/KMS/CreateKey.json b/events/KMS/CreateKey.json
@@ -0,0 +1,31 @@
+{
+    "eventName": "CreateKey",
+    "eventSource": "kms.amazonaws.com",
+    "awsService": "KMS",
+    "description": "Creates a unique customer managed KMS key in your AWS account and Region.",
+    "mitreAttackTactics": [
+        "TA0040 - Impact"
+    ],
+    "mitreAttackTechniques": [
+        "T1486 - Data Encrypted for Impact"
+    ],
+    "mitreAttackSubTechniques": [],
+    "unverifiedMitreAttackTechniques": [],
+    "usedInWild": false,
+    "incidents": [],
+    "researchLinks": [
+        {
+            "description": "Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets",
+            "link": "https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets"
+        }
+    ],
+    "securityImplications": "Attackers might create keys only accessible by the identity they have compromised, for later encrypt data and delete access to it for ransomware attacks.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws kms create-key"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/kms#kms-CreateKey"
+}
diff --git a/events/KMS/CreateKey.json.cloudtrail b/events/KMS/CreateKey.json.cloudtrail
@@ -0,0 +1,47 @@
+[
+   {
+      "awsRegion": "us-east-1",
+      "errorCode": "AccessDenied",
+      "errorMessage": "User: arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez is not authorized to perform: kms:CreateKey on resource: * because no identity-based policy allows the kms:CreateKey action",
+      "eventCategory": "Management",
+      "eventID": "6f4babb4-aac4-4664-a2e6-1ce8c9baac2b",
+      "eventName": "CreateKey",
+      "eventSource": "kms.amazonaws.com",
+      "eventTime": "2025-02-15T14:51:04Z",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.11",
+      "managementEvent": true,
+      "readOnly": false,
+      "recipientAccountId": "345594607949",
+      "requestID": "6542de57-ab9c-43e2-9532-738cc50c76db",
+      "requestParameters": null,
+      "responseElements": null,
+      "sourceIPAddress": "46.6.38.8",
+      "tlsDetails": {
+         "cipherSuite": "TLS_AES_256_GCM_SHA384",
+         "clientProvidedHostHeader": "kms.us-east-1.amazonaws.com",
+         "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_a35c5710-8a0e-4a58-b124-508fa7267cbd cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#kms.create-key",
+      "userIdentity": {
+         "accessKeyId": "ASIAVA5YLHFG22UNOASA",
+         "accountId": "345594607949",
+         "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez",
+         "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez",
+         "sessionContext": {
+            "attributes": {
+               "creationDate": "2025-02-15T14:50:08Z",
+               "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+               "accountId": "345594607949",
+               "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50",
+               "principalId": "AROAVA5YLHFGXTTEWKGQX",
+               "type": "Role",
+               "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50"
+            }
+         },
+         "type": "AssumedRole"
+      }
+   }
+]