security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#3854)

Browse Source 
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'

* adding filter to ignore common AWS object path strings
This commit is contained in:
Terrance DeJesus
2024-07-02 13:02:52 -04:00
committed by GitHub
parent 30ffe00012
commit d59d462956
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.13.0"
updated_date = "2024/06/05"
updated_date = "2024/07/01"
[rule]
author = ["Elastic"]
@@ -95,7 +95,8 @@ from logs-aws.cloudtrail-*
| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"
// regex on common ransomware note extensions
| where object_name rlike "(.*).(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)"
| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
// aggregate by S3 bucket, resource and object name
| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name