Rules Contributing to Potentially Malicious AWS Activity Alert
The following rules are used to identify suspicious activity within AWS logs. Any one or more of these will trigger a Potentially Malicious AWS Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
SES Identity Has Been Deleted |
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities More details
Rule IDQuery{'selection': {'eventSource': 'ses.amazonaws.com', 'eventName': 'DeleteIdentity'}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,20f754db-d025-4a8f-9d74-e0037e999a9a Author: Janantha Marasinghe Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS GuardDuty Important Change |
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. More details
Rule IDQuery{'selection_source': {'eventSource': 'guardduty.amazonaws.com', 'eventName': 'CreateIPSet'}, 'condition': 'selection_source'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 Author: faloker Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Glue Development Endpoint Activity |
Detects possible suspicious glue development endpoint activity. More details
Rule IDQuery{'selection': {'eventSource': 'glue.amazonaws.com', 'eventName': ['CreateDevEndpoint', 'DeleteDevEndpoint', 'UpdateDevEndpoint']}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS ECS Backdoor Task Definition |
Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment. More details
Rule IDQuery{'selection': {'eventSource': 'ecs.amazonaws.com', 'eventName': ['DescribeTaskDefinition', 'RegisterTaskDefinition', 'RunTask'], 'requestParameters_containerDefinitions_command|contains|all': ['169.254', '$AWS_CONTAINER_CREDENTIALS']}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,b94bf91e-c2bf-4047-9c43-c6810f43baad Author: Darin Smith Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Attached Malicious Lambda Layer |
Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. More details
Rule IDQuery{'selection': {'eventSource': 'lambda.amazonaws.com', 'eventName|startswith': 'UpdateFunctionConfiguration'}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d Author: Austin Songer Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EKS Cluster Created or Deleted |
Identifies when an EKS cluster is created or deleted. More details
Rule IDQuery{'selection': {'eventSource': 'eks.amazonaws.com', 'eventName': ['CreateCluster', 'DeleteCluster']}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,33d50d03-20ec-4b74-a74e-1e65a38af1c0 Author: Austin Songer Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS SecurityHub Findings Evasion |
Detects the modification of the findings on SecurityHub. More details
Rule IDQuery{'selection': {'eventSource': 'securityhub.amazonaws.com', 'eventName': ['BatchUpdateFindings', 'DeleteInsight', 'UpdateFindings', 'UpdateInsight']}, 'condition': 'selection'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,a607e1fe-74bf-4440-a3ec-b059b9103157 Author: Sittikorn S Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS GuardDuty Detector Deletion |
Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. More details
Rule IDQuery{'selection1': {'eventSource': 'guardduty.amazonaws.com'}, 'selection2': {'eventName': 'DeleteDetector'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS ElastiCache Security Group Created |
Identifies when an ElastiCache security group has been created. More details
Rule IDQuery{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': 'Create Cache Security Group'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS IAM Password Recovery Requested |
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. More details
Rule IDQuery{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'PasswordRecoveryRequested'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EventBridge Rule Disabled or Deleted |
Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. More details
Rule IDQuery{'selection1': {'eventSource': 'eventbridge.amazonaws.com'}, 'selection2': {'eventName': ['DeleteRule', 'DisableRule']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS CloudWatch Alarm Deletion |
Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. More details
Rule IDQuery{'selection1': {'eventSource': 'monitoring.amazonaws.com'}, 'selection2': {'eventName': 'DeleteAlarms'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Configuration Recorder Stopped |
Identifies an AWS configuration change to stop recording a designated set of resources. More details
Rule IDQuery{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': 'StopConfigurationRecorder'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Config Resource Deletion |
Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. More details
Rule IDQuery{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': ['DeleteConfigRule', 'DeleteOrganizationConfigRule', 'DeleteConfigurationAggregator', 'DeleteConfigurationRecorder', 'DeleteConformancePack', 'DeleteOrganizationConformancePack', 'DeleteDeliveryChannel', 'DeleteRemediationConfiguration', 'DeleteRetentionConfiguration']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS STS GetSessionToken Abuse |
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. More details
Rule IDQuery{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'GetSessionToken'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS WAF Rule or Rule Group Deletion |
Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. More details
Rule IDQuery{'selection1': {'eventSource': ['waf.amazonaws.com', 'waf-regional.amazonaws.com', 'wafv2.amazonaws.com']}, 'selection2': {'eventName': ['DeleteRule', 'DeleteRuleGroup']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS ElastiCache Security Group Modified or Deleted |
Identifies when an ElastiCache security group has been modified or deleted. More details
Rule IDQuery{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': ['Delete Cache Security Group', 'Authorize Cache Security Group Ingress', 'Revoke Cache Security Group Ingress', 'AuthorizeCacheSecurityGroupEgress', 'RevokeCacheSecurityGroupEgress']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS WAF Access Control List Deletion |
Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. More details
Rule IDQuery{'selection1': {'eventSource': 'waf.amazonaws.com'}, 'selection2': {'eventName': 'DeleteWebACL'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS CloudWatch Log Stream Deletion |
Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. More details
Rule IDQuery{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogStream'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS SAML Activity |
Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. More details
Rule IDQuery{'selection1': {'eventSource': ['iam.amazonaws.com', 'sts.amazonaws.com']}, 'selection2': {'eventName': ['Assumerolewithsaml', 'UpdateSAMLProvider']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS CloudWatch Log Group Deletion |
Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. More details
Rule IDQuery{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogGroup'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion |
Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. More details
Rule IDQuery{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': ['DisableKey', 'ScheduleKeyDeletion']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Redshift Cluster Creation |
Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. More details
Rule IDQuery{'selection1': {'eventSource': 'redshift.amazonaws.com'}, 'selection2': {'eventName': 'CreateCluster'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EFS File System or Mount Deleted |
Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. More details
Rule IDQuery{'selection1': {'eventSource': 'elasticfilesystem.amazonaws.com'}, 'selection2': {'eventName': ['DeleteMountTarget', 'DeleteFileSystem']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Security Token Service (STS) AssumeRole Usage |
Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. More details
Rule IDQuery{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumedRole'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Lambda UpdateFunctionCode |
This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, further access into AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the function is triggered. More details
Rule IDQuery{'selection2': {'eventSource': 'lambda.amazonaws.com'}, 'selection3': {'eventName': 'UpdateFunctionCode*'}, 'selection4': {'errorCode': 'success'}, 'selection5': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS ECR Container Scanning Findings |
This search looks for AWS CloudTrail events from AWS Elastic Container Registry (ECR) Service. More details
Rule IDQuery{'selection2': {'eventSource': 'ecr.amazonaws.com'}, 'selection3': {'eventName': 'DescribeImageScanFindings'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS SAML Access by Provider User and Principal |
This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. It also provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. More details
Rule IDQuery{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumeRoleWithSAML'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
KMS Keys Creation |
This search provides detection of KMS Keys Creation More details
Rule IDQuery{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': 'CreateKey'}, 'selection3': {'eventName': 'PutKeyPolicy'}, 'condition': 'selection1 and (selection2 or selection3)'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|