security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] EC2 Full Network Packet Capture Detected (#1175)

Browse Source 
(cherry picked from commit d7e0e37e54)
This commit is contained in:
Austin Songer
2021-06-22 01:00:48 -05:00
committed by github-actions[bot]
parent 3996e94bfd
commit b8a3f43b99
1 changed files with 72 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+72
View File
@@ -0,0 +1,72 @@
[metadata]
creation_date = "2021/05/05"
maturity = "production"
updated_date = "2021/05/05"
[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be
abused to exfiltrate sensitive data from unencrypted internal traffic.
"""
false_positives = [
"""
Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Full Network Packet Capture Detected"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
"https://github.com/easttimor/aws-incident-response",
]
risk_score = 47
rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and
event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1020/"
name = "Automated Exfiltration"
id = "T1020"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0010/"
name = "Exfiltration"
id = "TA0010"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1074/"
name = "Data Staged"
id = "T1074"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0009/"
name = "Collection"
id = "TA0009"