CloudGrappler: An open-source threat detection tool for AWS and Azure

LEARN MORE
Illustration Cloud

Introducing Cloud Console Cartographer: An Open-Source Tool To Help Security Teams Easily Understand Log Events Generated by AWS Console Activity

Introduction

While most cloud CLI tools provide a one-to-one correlation between an API being invoked and a single corresponding API event being generated in cloud log telemetry, browser-based interactive console sessions differ profoundly across cloud providers in ways that obfuscate the original actions taken by the user.

If you’ve spent time digging through cloud logs generated by AWS console sessions, you’ve probably scratched your head quite a few times, trying to distill a long list of log events generated from a single action, such as a click of a button. The noise in these logs not only makes triaging threats difficult, but it makes it very difficult for SOC teams to be able to easily answer the question “What do all of these events mean and what actions did the identity actually take inside of AWS Console?”

In reviewing these logs, you might see events in CloudTrail such as iam:ListMFADevices or iam:ListAccessKeys. This can be confusing, because this user didn’t take any action in the UI to list MFA devices or Access Keys; this user simply clicked on the IAM homepage which triggered these events to populate that information in the console UI. Security professionals are left trying to differentiate API calls specifically invoked by a user from those secondary API invocations that create events to support the behavior or actions being conducted in the console UI. Threat actors have been observed leveraging console and other UIs in a strategic effort knowing how confusing this log data can be to incident responders and blue teamers.

If you click on IAM users in console, and three users are listed, this single click generates 18 events in CloudTrail. If that number increases to 20 users, a total of 141 events will be generated. This number climbs to over 700 events if there are 100 users. A lot of event activity from a single click of a button.

Screenshot 2024-04-17 at 3.36.59 PM

Introducing Cloud Console Cartographer

Cloud Console Cartographer is an open-source tool that is built to help security teams distill the noise of events generated in cloud logs by activity in AWS console. Could Console Cartographer maps the myriad of events generated in cloud logs to a consolidated list of succinct events that quickly tell defenders what actions an identity actually conducted while using AWS’s console UI. While much of cloud infrastructure is spun up as-code today, a lot of activity is still taking place in AWS console. Even today, some features, capabilities or information is only available within the console.

In the example below, a user performs the single action of selecting IAM → Users in the console. That singular click generates nearly 500 CloudTrail events. These events represent what is loading in the user interface of AWS console and what the user is seeing when they screen loads. This could include dashboards, a list of users or keys, etc. From the perspective of someone reviewing these logs, there’s a flood of events that look like a slew of activity being conducted by the user, but isn’t actually reflective of what the user actually did.

IAM_Users_Screenshot

Example # 1 - Running The Tool With Local CloudTrail Logs and Event-Level CLI Summary

You can use the demo CloudTrail session that is stored in ./Demo to observe how the framework is able to aggregate the log data and provide a succinct explanation summary of the events. In a later example below, we will showcase how logs can be piped into the framework’s functions wtihout requiring anything to be written to disk before calling any of the available aggregation or visualization functions. .

First, you will need to invoke Add-Signal to apply Labels and perform the Signal mapping evaluation. Second, pass these results to one of the multiple output functions.

dir ./Demo/InputEvents.json | Add-Signal -Verbose | Show-EventSummary -Detail signal

 

Show-EventSummary_Screenshot

Example #2 - Running the tool with CloudTrail logs queried directly from CloudTrail API and session-level CLI Summary

aws cloudtrail lookup-events —lookup-attributes AttributeKey=AccessKeyID, AttributeValue=ASIAPERSHENDETJEMIQ1 | Add-Signal | Show-SessionSummary

Show-SessionSummary_Screenshot

Example #3 - Using Python-based UI Visualizer

cat ./Demo/InputEvents.json | Add-Signal | Show-SessionSummary UI

Show-SessionSummaryUI_Screenshot

We’re here to help security teams reduce the time they spend trying to put pieces together to make sense of noisy events in cloud logs. You can access Cloud Console Cartographer on GitHub: https://github.com/Permiso-io-tools/CloudConsoleCartographer 

Illustration Cloud

Related Articles

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 2

Detection and Mitigation The 'Create Snapshot', ‘Create Cloud Instance’, ‘Delete Cloud Instance’, ‘Revert Cloud Instance’ and ‘Modify Cloud Compute Configurations’ features are widely available across major cloud platforms such as AWS, Azure, and

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 1

The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework is a globally-accessible knowledge base of adversary tactics and techniques and procedures (TTPs) which are constantly updated to reflect real-world observations of

Déjà Vu or New View: Latest Okta Credential Stuffing Campaign

Summary On April 26, 2024 Okta reported observing a large scale credential stuffing attack that shares infrastructure with a campaign previously reported by Cisco Talos. The campaign that Cisco observed started on March 18 and continued until April

View more posts