Skip to content
Playbook: Bladerunner Log Source Collection Verification
Playbook: Bladerunner daily Log Source Collection Monitoring Report and Verification Instructions
Notes on BladeRunner Collection
Playbook: Running ElasticSearch Queries to Detect Possible Reconnaissance on AWS CloudTrail Logs
Share
Explore

Playbook: Running ElasticSearch Queries to Detect Possible Reconnaissance on AWS CloudTrail Logs

Overview

This document outlines the current workflow for manually querying Possible Reconnaissance attacks. In this Playbook, we are querying AWS CloudTrail Logs located at Hulk Elastic’s bladerunner-network-aws index to detect events where:
Use Case Condition 1: A sourceIPAddress is seen performing an eventName: GetCallerIdentity
Use Case Condition 2: A sourceIPAddress is seen performing an eventName: GetCallerIdentity while using a userAgent: trufflehog
What is TruffleHog?
TruffleHog is a security tool designed to scan code repositories for sensitive information such as secrets, passwords, and sensitive keys.
Hackers can misuse TruffleHog to scan public code repositories, such as those on GitHub, for exposed secrets and sensitive information. Here’s how they might do it:
Scanning Public Repositories: Hackers use TruffleHog to search through public repositories for exposed API keys, passwords, and other sensitive data.
Exploiting Exposed Secrets: Once they find these secrets, they can use them to gain unauthorized access to systems, databases, or services.
Automating the Process: By automating the scanning process, hackers can quickly and efficiently identify multiple targets with exposed secrets.
Leveraging Found Data: The exposed data can be used for various malicious activities, such as launching further attacks, stealing data, or causing service disruptions.
It’s crucial for developers and organizations to regularly scan their codebases for exposed secrets and to follow best practices for secret management to mitigate these risks.

Blue Team Steps

Use Case Condition 1: A sourceIPAddress is seen performing an eventName: GetCallerIdentity
megaphone
UCC 1 QUERY FREQUENCY
These queries ideally should be run in an weekly basis.
Consolidate all IPs detected for validation of BladeRunner via a Ticket and provide supporting Data.
QUERY:
eventName:GetCallerIdentity AND sourceIPAddress
Elastic Query Screenshot:
image.png
Enrichment:
Lookup sourceIPAddress in
http://www.virustotal.com/
On 1 tab, consolidate per sourceIPAddress and provide hits per IP.
Provide Country and IP Reputation per sourceIPAddress
Check on whitelist (if provided by customer)

Use Case Condition 2: A sourceIPAddress is seen performing an eventName: GetCallerIdentity while using a userAgent: trufflehog
megaphone
UCC2 QUERY FREQUENCY
These queries ideally should be run in an hourly basis. Or at least once per Blue Team member on shift.
If Use Case Condition 2 is triggered, raise a ticket and escalate to BladeRunner.
QUERY:
eventName:GetCallerIdentity AND sourceIPAddress
Elastic Query Screenshot:
image.png
Enrichment:
Lookup sourceIPAddress in
http://www.virustotal.com/
Provide Country and IP Reputation per sourceIPAddress
Check on whitelist (if provided by customer)
Recommended Actions:
Immediate Credential Rotation: Disable or rotate the affected credentials to prevent unauthorized access.
Investigate Actions: Thoroughly investigate any actions taken by the identity associated with the GetCallerIdentity event. Check for any unusual or unauthorized activities.
Review Access Logs: Analyze AWS CloudTrail logs and other relevant logs to identify any other suspicious activities or patterns associated with the source IP address.
Strengthen Security Policies: Ensure that your IAM policies follow the principle of least privilege. Restrict permissions to only what is necessary for each user or role.
Enable Multi-Factor Authentication (MFA): Enforce MFA for all users to add an extra layer of security.
Monitor for Further Activity: Set up alerts for any future occurrences of similar events to respond quickly to potential threats.

Saving Query and Exporting to CSV

Using this query to export csv = first we need click on save option on left hand side of Elastic console.
image.png
save with the name.
image.png
Next click on share option on left top corner of Elastic console
image.png
image.png
click on the CSV report it will navigate to below image.
image.png
Click on generate CSV to export report. the report will be exported to the report and the last step go to home/stack management/reporting. We can download the report.
image.png

Collection

The flow starts with the collection of data. AWS CloudTrail logs are being pulled using Hulk Collect microservice (SkyFormation Template) forwarding to S3 bucket under Invicta AWS Account.
Once stored in bronze, the AWS CloudTrail logs are being fetched by Logstash then gets sent to Elasticsearch under bladerunner-network-aws index.

Other References

GetCallerIdentity →
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
Other AWS Event Types →
https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
TruffleHog Website →
https://trufflesecurity.com/trufflehog
For understanding the IP ranges and classes →
https://www.meridianoutpost.com/resources/articles/IP-classes.php#google_vignette
light
Possible Improvements
Make AWS CloudTrail available on LogScale (preferred Search tool of Hulk Blue Team)
Automatically run this query on ElasticSearch (or LogScale) to make alerts real-time to trigger this Playbook

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.