security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97c43eaa7349e8f208e65b5f233986df030d26a4
blue-team-tools/rules/cloud/aws/aws_enum_logging.yml
T
frack113 066ab2680d Change to LF
2022-12-16 09:24:19 +01:00

32 lines
894 B
YAML
Raw Blame History

title: Enumerate Backup Configuration on AWS
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Identifies enumeration activity targeting the AWS backups
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.discovery
- attack.t1580
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName:
- GetPasswordData
- GetEbsEncryptionByDefault
- GetEbsDefaultKmsKeyId
- GetBucketReplication
- DescribeVolumes
- DescribeVolumesModifications
- DescribeSnapshotAttribute
- DescribeSnapshotTierStatus
- DescribeImages
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink