[New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity

[terrancedejesus]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/530
• https://github.com/elastic/ia-trade-team/issues/272

Summary - What I changed

Adds a hunting query for unusual Aviatrix role activity. This is an assumed role in AWS that, if the EC2 instance were compromised, would be used to carry out additional TTPs. The temporary credentials gathered from IMDSv2 are tied directly to the role assigned to the EC2 instance. The Aviatrix network controller, when deployed in AWS, is deployed on an EC2 instance with these default roles.

Ref: https://docs.aviatrix.com/documentation/latest/platform-administration/accounts-and-users/iam-role.html

How To Test

Unable to deploy a vulnerable version from the marketplace as these were removed. We did develop a Python script to our best understanding and launch at a publicly deployed controller in our AWS environment to mimic the requests. Please see the TRADE issue for more details.

• https://github.com/elastic/ia-trade-team/issues/530#issuecomment-2607534741

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

• Detailed description of the Hunt.
• Link related issues or PRs.
• Include references.
• Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

• author: The name of the individual or organization authoring the rule.
• uuid: Unique UUID.
• name and description are descriptive and typo-free.
• language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
• query is inclusive, not overly exclusive, considering performance for diverse environments.
• integration aligns with the index. Ensure updates if the integration is newly introduced.
• notes includes additional information regarding data collected from the hunting query.
• mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
• references are valid URL links that include information relevenat to the hunt or threat.
• license

Testing and Validation

• Evidence of testing and valid query usage.
• Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
• Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
• Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.

[Samirbous]

it could be that the activity is new, maybe some unique/distinct count on the source of it's usage (like used from 2 or more sources) to increase suspicion ?