security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml
T
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00

31 lines
1.3 KiB
YAML
Raw Blame History

title: AWS ECS Backdoor Task Definition
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: experimental
description: Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.
author: Darin Smith
date: 2022/06/07
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
- https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
- https://attack.mitre.org/techniques/T1525
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ecs.amazonaws.com
eventName:
- DescribeTaskDefinition
- RegisterTaskDefinition
- RunTask
requestParameters.containerDefinitions.command|contains|all:
- '169.254'
- '$AWS_CONTAINER_CREDENTIALS'
condition: selection
level: medium
tags:
- attack.persistence
- attack.t1525
falsepositives:
- Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
Reference in New Issue View Git Blame Copy Permalink