security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcce3a85aa43a936412fd32ffdfd41ea71ce1e02
blue-team-tools/rules/cloud/aws/aws_enum_backup.yml
T
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-28 19:46:36 +01:00

34 lines
980 B
YAML
Raw Blame History

title: Potential Backup Enumeration on AWS
id: 76255e09-755e-4675-8b6b-dbce9842cd2a
status: experimental
description: Detects potential enumeration activity targeting an AWS instance backups
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
- attack.discovery
- attack.t1580
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'GetPasswordData'
- 'GetEbsEncryptionByDefault'
- 'GetEbsDefaultKmsKeyId'
- 'GetBucketReplication'
- 'DescribeVolumes'
- 'DescribeVolumesModifications'
- 'DescribeSnapshotAttribute'
- 'DescribeSnapshotTierStatus'
- 'DescribeImages'
timeframe: 10m
condition: selection | count() > 5
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink