security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b19abdaeda7669c379bca72fa7ca8eada4677c5b
blue-team-tools/rules/cloud/aws/aws_enum_logging.yml
T
frack113 32b7ef47df Add count condition
2022-12-23 12:32:05 +01:00

33 lines
971 B
YAML
Raw Blame History

title: Potential Backup Enumeration on An AWS Instance
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Detects potential enumeration activity targeting an AWS instance backups
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
tags:
- attack.discovery
- attack.t1580
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'GetPasswordData'
- 'GetEbsEncryptionByDefault'
- 'GetEbsDefaultKmsKeyId'
- 'GetBucketReplication'
- 'DescribeVolumes'
- 'DescribeVolumesModifications'
- 'DescribeSnapshotAttribute'
- 'DescribeSnapshotTierStatus'
- 'DescribeImages'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink