security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c0c29f45f554d65d30a1dfbf8fd9cb77c192546
blue-team-tools/rules/cloud/aws/aws_delete_identity.yml
T
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-28 19:46:36 +01:00

24 lines
748 B
YAML
Raw Blame History

title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: experimental
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.defense_evasion
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink