From 4c323d40dd7d8ca7e000d8bcec9a6d7c07cba049 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:42:34 +0700 Subject: [PATCH 1/6] Create aws_securityhub_disable_finding.yml --- .../cloud/aws_securityhub_disable_finding.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/aws_securityhub_disable_finding.yml diff --git a/rules/cloud/aws_securityhub_disable_finding.yml b/rules/cloud/aws_securityhub_disable_finding.yml new file mode 100644 index 000000000..1bb027f1d --- /dev/null +++ b/rules/cloud/aws_securityhub_disable_finding.yml @@ -0,0 +1,29 @@ +title: AWS - SecurityHub Findings Disruption +id: a607e1fe-74bf-4440-a3ec-b059b9103157 +status: stable +description: Identifies to evade finding on SecurityHub. +author: Sittikorn S +date: 2021/06/28 +reference: + - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +tags: + - attack.defensive_evasion + - attack.t1562.006 +logsource: + service: cloudtrail +detection: + selection: + eventSource: securityhub.amazonaws.com + eventName: + - 'BatchUpdateFindings' + - 'DeleteInsight' + - 'UpdateFindings' + - 'UpdateInsight' + condition: selection +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors + - DEV, UAT, SAT environment. You should apply this rule with PROD environment only. +level: high From ff83414871069965d7a947d252c698c6f89f80ef Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:45:31 +0700 Subject: [PATCH 2/6] Update and rename aws_securityhub_disable_finding.yml to aws_securityhub_finding_evasion.yml --- ..._disable_finding.yml => aws_securityhub_finding_evasion.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/cloud/{aws_securityhub_disable_finding.yml => aws_securityhub_finding_evasion.yml} (94%) diff --git a/rules/cloud/aws_securityhub_disable_finding.yml b/rules/cloud/aws_securityhub_finding_evasion.yml similarity index 94% rename from rules/cloud/aws_securityhub_disable_finding.yml rename to rules/cloud/aws_securityhub_finding_evasion.yml index 1bb027f1d..9b4d4e64d 100644 --- a/rules/cloud/aws_securityhub_disable_finding.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -1,4 +1,4 @@ -title: AWS - SecurityHub Findings Disruption +title: AWS SecurityHub Findings Evasion id: a607e1fe-74bf-4440-a3ec-b059b9103157 status: stable description: Identifies to evade finding on SecurityHub. From 071699da5e541df19943c75a9c6d4db8c604f347 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:52:42 +0700 Subject: [PATCH 3/6] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index 9b4d4e64d..d3ab84c39 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -4,7 +4,7 @@ status: stable description: Identifies to evade finding on SecurityHub. author: Sittikorn S date: 2021/06/28 -reference: +references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - attack.defensive_evasion From 5a61e402bfb8be76b7ce49cce2735f77ee888cfd Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:57:21 +0700 Subject: [PATCH 4/6] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index d3ab84c39..b065bb878 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -8,7 +8,7 @@ references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - attack.defensive_evasion - - attack.t1562.006 + - attack.t1562 logsource: service: cloudtrail detection: From bfe110a2c5f2274e7e3aeb2c551431f8342c931c Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 16:07:54 +0700 Subject: [PATCH 5/6] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index b065bb878..d5090b2d2 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -7,7 +7,7 @@ date: 2021/06/28 references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - - attack.defensive_evasion + - attack.defense_evasion - attack.t1562 logsource: service: cloudtrail From 9c769a3fce3fc5ac9d5149f06734f6d741fc9034 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jun 2021 12:49:32 +0200 Subject: [PATCH 6/6] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index d5090b2d2..5c9013583 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -1,7 +1,7 @@ title: AWS SecurityHub Findings Evasion id: a607e1fe-74bf-4440-a3ec-b059b9103157 status: stable -description: Identifies to evade finding on SecurityHub. +description: Detects the modification of the findings on SecurityHub. author: Sittikorn S date: 2021/06/28 references: