Rules Contributing to Suspicious AWS EC2 Activity Alert
The following rules are used to identify suspicious activity within AWS EC2 logs. Any one or more of these will trigger Suspicious AWS EC2 Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS EC2 Startup Shell Script Change |
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. More details
Rule IDQuery{'selection_source': {'eventSource': 'ec2.amazonaws.com', 'requestParameters_attribute': 'userData', 'eventName': 'ModifyInstanceAttribute'}, 'condition': 'selection_source'} Log SourceStellar Cyber AWS Cloudtrail configured. Rule SourceSigmaHQ,1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df Author: faloker Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Network Access Control List Creation |
Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': ['CreateNetworkAcl', 'CreateNetworkAclEntry']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Network Access Control List Deletion |
Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': ['DeleteNetworkAcl', 'DeleteNetworkAclEntry']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Snapshot Activity |
An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'ModifySnapshotAttribute'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 VM Export Failure |
Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'CreateInstanceExportTask'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Full Network Packet Capture Detected |
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': ['CreateTrafficMirrorFilter', 'CreateTrafficMirrorFilterRule', 'CreateTrafficMirrorSession', 'CreateTrafficMirrorTarget']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Encryption Disabled |
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'DisableEbsEncryptionByDefault'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
EC2 Snapshot Attribute Modification |
The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'ModifySnapshotAttribute'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Security Group Deleted |
An EC2 security group has been deleted. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'DeleteSecurityGroup'}, 'selection3': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and selection2 and not selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Security Group Modified |
An EC2 security group has been modified. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'DeleteRouteTable'}, 'selection3': {'eventName': 'DeleteSubnet'}, 'selection4': {'eventName': 'CreateDBSubnetGroup'}, 'selection5': {'eventName': 'DeleteDBSubnetGroup'}, 'selection6': {'eventName': 'ModifyDBSubnetGroup'}, 'selection7': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5 or selection6) and not selection7'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS EC2 Security Group Created |
An EC2 security group has been created. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'CreateSecurityGroup'}, 'selection3': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and selection2 and not selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Credential Access GetPasswordData |
This detection analytic identifies GetPasswordData API call made to your AWS account. Attackers can retrieve the encrypted administrator password for a running Windows instance. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'GetPasswordData'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS VPC Network ACL Modified |
The ACL for a VPC has been modified. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'CreateACLEntry'}, 'selection3': {'eventName': 'DeleteACL'}, 'selection4': {'eventName': 'DeleteACLEntry'}, 'selection5': {'eventName': 'UpdateACLAssociation'}, 'selection6': {'userAgent': 'cloudformation.amazonaws.com'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5) and not selection6'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|