title: Potential Backup Enumeration on AWS
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Detects potential enumeration activity targeting an AWS instance backups
references:
    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
    - attack.discovery
    - attack.t1580
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName:
            - 'GetPasswordData'
            - 'GetEbsEncryptionByDefault'
            - 'GetEbsDefaultKmsKeyId'
            - 'GetBucketReplication'
            - 'DescribeVolumes'
            - 'DescribeVolumesModifications'
            - 'DescribeSnapshotAttribute'
            - 'DescribeSnapshotTierStatus'
            - 'DescribeImages'
    timeframe: 10m
    condition: selection | count() > 5
falsepositives:
    - Unknown
level: medium