security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Further improved several AWS rules (#3827)

Browse Source 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
BlueTeamOps
2022-12-29 05:46:36 +11:00
committed by GitHub
parent 7baadc4d3f
commit 05135ec828
5 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/aws/aws_delete_identity.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: experimental
description: Detects an instance of an SES identity being deleted via the "delete-identity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.defense_evasion
- attack.t1070
@@ -15,7 +16,7 @@ logsource:
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'delete-identity'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
rules/cloud/aws/aws_enum_logging.yml → rules/cloud/aws/aws_enum_backup.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Potential Backup Enumeration on An AWS Instance
title: Potential Backup Enumeration on AWS
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Detects potential enumeration activity targeting an AWS instance backups
@@ -6,6 +6,7 @@ references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.discovery
- attack.t1580
rules/cloud/aws/aws_enum_network.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Potential Network Enumeration on An AWS Instance
title: Potential Network Enumeration on AWS
id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
status: experimental
description: Detects network enumeration performed on an AWS instance.
description: Detects network enumeration performed on AWS.
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.discovery
- attack.t1016
rules/cloud/aws/aws_enum_storage.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Potential Storage Enumeration on An AWS Instance
title: Potential Storage Enumeration on AWS
id: 4723218f-2048-41f6-bcb0-417f2d784f61
status: experimental
description: Detects potential enumeration activity targeting AWS storage
@@ -6,6 +6,7 @@ references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.discovery
- attack.t1619
rules/cloud/aws/aws_ses_messaging_enabled.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Potential Phshing Activity Via AWS Cloud Email Service Abuse
title: Potential AWS Cloud Email Service Abuse
id: 60b84424-a724-4502-bd0d-cc676e1bc90e
status: experimental
description: Detects potential phshing activity when the email sending feature is enabled for an account and the email address verification request is dispatched in quick succession
description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/12
modified: 2022/12/28
tags:
- attack.t1583.006
- attack.resource_development