-
Notifications
You must be signed in to change notification settings - Fork 59
/
template-definition.yml
38 lines (38 loc) · 1.15 KB
/
template-definition.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
name: Access Secret in Secrets Manager
author: Nick Jones
description: |
An adversary may attempt to access the secrets in secrets manager, to steal certificates, credentials or other sensitive material
platform: aws
category: Credential Access
mitre_ids:
- T1528
permissions:
- secretsmanager:GetSecretValue
- kms:Decrypt
input_arguments:
secretid:
description: ID of secret to access, either ARN or friendly name
type: str
value: "leonidas_created_secret"
executors:
sh:
code: |
aws secretsmanager get-secret-value --secret-id {{ secretid }}
leonidas_aws:
implemented: True
clients:
- secretsmanager
code: |
result = clients["secretsmanager"].get_secret_value(SecretId=secretid)
detection:
sigma_id: cbeba6f0-019e-4782-8c7e-e21b10521eed
status: experimental
level: low
sources:
- name: "cloudtrail"
attributes:
eventName: "GetSecretValue"
eventSource: "*.secretsmanager.amazonaws.com"
falsepositives:
- Developers making legitimate changes to the environment. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.