rules/cloud/aws/aws_macic_evasion.yml

title: AWS Macie Evasion
id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
status: experimental
description: Detects evade to Macie detection.
author: Sittikorn S
date: 2021/07/06
references:
    - https://docs.aws.amazon.com/cli/latest/reference/macie/
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventName:
            - 'ArchiveFindings'
            - 'CreateFindingsFilter'
            - 'DeleteMember'
            - 'DisassociateFromMasterAccount'
            - 'DisassociateMember'
            - 'DisableMacie'
            - 'DisableOrganizationAdminAccount'
            - 'UpdateFindingsFilter'
            - 'UpdateMacieSession'
            - 'UpdateMemberSession'
            - 'UpdateClassificationJob'
    timeframe: 10m
    condition: selection | count() by sourceIPAddress > 5
fields:
    - sourceIPAddress
    - userIdentity.arn
falsepositives:
    - System or Network administrator behaviors
level: medium
Update aws_macic_evasion 2021-07-26 15:26:17 +07:00			`title: AWS Macie Evasion`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`id: 91f6a16c-ef71-437a-99ac-0b070e3ad221`
			`status: experimental`
			`description: Detects evade to Macie detection.`
			`author: Sittikorn S`
			`date: 2021/07/06`
Update aws_macic_evasion 2021-07-26 15:38:34 +07:00			`references:`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`- https://docs.aws.amazon.com/cli/latest/reference/macie/`
			`tags:`
Update aws_macic_evasion.yml 2021-07-26 17:21:47 +07:00			`- attack.defense_evasion`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`- attack.t1562.001`
			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`service: cloudtrail`
			`detection:`
			`selection:`
			`eventName:`
			`- 'ArchiveFindings'`
			`- 'CreateFindingsFilter'`
			`- 'DeleteMember'`
			`- 'DisassociateFromMasterAccount'`
			`- 'DisassociateMember'`
			`- 'DisableMacie'`
Update aws_macic_evasion.yml 2021-07-26 21:27:59 +07:00			`- 'DisableOrganizationAdminAccount'`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`- 'UpdateFindingsFilter'`
			`- 'UpdateMacieSession'`
			`- 'UpdateMemberSession'`
			`- 'UpdateClassificationJob'`
			`timeframe: 10m`
Update aws_macic_evasion 2021-07-26 15:26:17 +07:00			`condition: selection \| count() by sourceIPAddress > 5`
Create aws_macic_evasion 2021-07-26 15:14:44 +07:00			`fields:`
			`- sourceIPAddress`
			`- userIdentity.arn`
			`falsepositives:`
			`- System or Network administrator behaviors`
			`level: medium`