security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34ea706e4fe91c8a2c7ae11b953407e1dd67a319
blue-team-tools/rules/cloud/aws_config_disable_recording.yml
T
Ivan Kirillov 0fbfcc6ba9 Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00

23 lines
574 B
YAML
Raw Blame History

title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: experimental
author: vitaliy0x1
date: 2020/01/21
description: Detects AWS Config Service disabling
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- attack.t1089
- attack.t1562.001
Reference in New Issue View Git Blame Copy Permalink