Rules Contributing to Potentially Malicious AWS Activity Alert

The following rules are used to identify suspicious activity within AWS logs. Any one or more of these will trigger a Potentially Malicious AWS Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SES Identity Has Been Deleted

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

AWS Glue Development Endpoint Activity

Detects possible suspicious glue development endpoint activity.

AWS ECS Backdoor Task Definition

Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.

AWS Attached Malicious Lambda Layer

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

AWS EKS Cluster Created or Deleted

Identifies when an EKS cluster is created or deleted.

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

AWS GuardDuty Detector Deletion

Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.

AWS ElastiCache Security Group Created

Identifies when an ElastiCache security group has been created.

AWS IAM Password Recovery Requested

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

AWS EventBridge Rule Disabled or Deleted

Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.

AWS CloudWatch Alarm Deletion

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

AWS Configuration Recorder Stopped

Identifies an AWS configuration change to stop recording a designated set of resources.

AWS Config Resource Deletion

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

AWS STS GetSessionToken Abuse

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS WAF Rule or Rule Group Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.

AWS ElastiCache Security Group Modified or Deleted

Identifies when an ElastiCache security group has been modified or deleted.

AWS WAF Access Control List Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.

AWS CloudWatch Log Stream Deletion

Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.

AWS SAML Activity

Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.

AWS CloudWatch Log Group Deletion

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.

AWS Redshift Cluster Creation

Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.

AWS EFS File System or Mount Deleted

Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.

AWS Security Token Service (STS) AssumeRole Usage

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

AWS Lambda UpdateFunctionCode

This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, further access into AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the function is triggered.

AWS ECR Container Scanning Findings

This search looks for AWS CloudTrail events from AWS Elastic Container Registry (ECR) Service.

AWS SAML Access by Provider User and Principal

This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. It also provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

KMS Keys Creation

This search provides detection of KMS Keys Creation