security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05135ec828aba76af656ea0d10c3e0b316b5900a
blue-team-tools/rules/cloud/aws/aws_enum_network.yml
T
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-28 19:46:36 +01:00

31 lines
895 B
YAML
Raw Blame History

title: Potential Network Enumeration on AWS
id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
status: experimental
description: Detects network enumeration performed on AWS.
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.discovery
- attack.t1016
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'DescribeCarrierGateways'
- 'DescribeVpcEndpointConnectionNotifications'
- 'DescribeTransitGatewayMulticastDomains'
- 'DescribeClientVpnRoutes'
- 'DescribeDhcpOptions'
- 'GetTransitGatewayRouteTableAssociations'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink