|
SES Identity Has Been Deleted
|
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
More details
Rule ID
aws_3
Query
{'selection': {'eventSource': 'ses.amazonaws.com', 'eventName': 'DeleteIdentity'}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,20f754db-d025-4a8f-9d74-e0037e999a9a
Author: Janantha Marasinghe
Tactics, Techniques, and Procedures
TA0005, T1070
References
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| experimental |
2022/12/13 |
medium |
|
|
|
AWS GuardDuty Important Change
|
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
More details
Rule ID
aws_4
Query
{'selection_source': {'eventSource': 'guardduty.amazonaws.com', 'eventName': 'CreateIPSet'}, 'condition': 'selection_source'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
Author: faloker
Tactics, Techniques, and Procedures
TA0005, T1562.001
References
Severity
75
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| test |
2020/02/11 |
high |
|
|
|
AWS Glue Development Endpoint Activity
|
Detects possible suspicious glue development endpoint activity.
More details
Rule ID
aws_5
Query
{'selection': {'eventSource': 'glue.amazonaws.com', 'eventName': ['CreateDevEndpoint', 'DeleteDevEndpoint', 'UpdateDevEndpoint']}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
Author: Austin Songer @austinsonger
Tactics, Techniques, and Procedures
TA0004, T1078
References
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| experimental |
2021/10/03 |
low |
-
Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
-
If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS ECS Backdoor Task Definition
|
Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.
More details
Rule ID
aws_7
Query
{'selection': {'eventSource': 'ecs.amazonaws.com', 'eventName': ['DescribeTaskDefinition', 'RegisterTaskDefinition', 'RunTask'], 'requestParameters_containerDefinitions_command|contains|all': ['169.254', '$AWS_CONTAINER_CREDENTIALS']}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,b94bf91e-c2bf-4047-9c43-c6810f43baad
Author: Darin Smith
Tactics, Techniques, and Procedures
TA0003, T1525
References
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| experimental |
2022/06/07 |
medium |
|
|
|
AWS Attached Malicious Lambda Layer
|
Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
More details
Rule ID
aws_9
Query
{'selection': {'eventSource': 'lambda.amazonaws.com', 'eventName|startswith': 'UpdateFunctionConfiguration'}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
Author: Austin Songer
Tactics, Techniques, and Procedures
TA0004, T1548
References
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| test |
2021/09/23 |
medium |
-
Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
-
Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS EKS Cluster Created or Deleted
|
Identifies when an EKS cluster is created or deleted.
More details
Rule ID
aws_10
Query
{'selection': {'eventSource': 'eks.amazonaws.com', 'eventName': ['CreateCluster', 'DeleteCluster']}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,33d50d03-20ec-4b74-a74e-1e65a38af1c0
Author: Austin Songer
Tactics, Techniques, and Procedures
TA0040, T1485
References
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| test |
2021/08/16 |
low |
-
EKS Cluster being created or deleted may be performed by a system administrator.
-
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
-
EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS SecurityHub Findings Evasion
|
Detects the modification of the findings on SecurityHub.
More details
Rule ID
aws_15
Query
{'selection': {'eventSource': 'securityhub.amazonaws.com', 'eventName': ['BatchUpdateFindings', 'DeleteInsight', 'UpdateFindings', 'UpdateInsight']}, 'condition': 'selection'}
Log Source
Stellar Cyber
AWS configured for:
Rule Source
SigmaHQ,a607e1fe-74bf-4440-a3ec-b059b9103157
Author: Sittikorn S
Tactics, Techniques, and Procedures
TA0005, T1562
References
Severity
75
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| stable |
2021/06/28 |
high |
-
System or Network administrator behaviors
-
DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
|
|
|
AWS GuardDuty Detector Deletion
|
Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
More details
Rule ID
aws_16
Query
{'selection1': {'eventSource': 'guardduty.amazonaws.com'}, 'selection2': {'eventName': 'DeleteDetector'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
75
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/05/28 |
high |
-
The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS ElastiCache Security Group Created
|
Identifies when an ElastiCache security group has been created.
More details
Rule ID
aws_22
Query
{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': 'Create Cache Security Group'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/07/19 |
low |
-
A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity,
user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar
users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
rule.
|
|
|
AWS IAM Password Recovery Requested
|
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.
More details
Rule ID
aws_25
Query
{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'PasswordRecoveryRequested'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0003, T1078
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/07/02 |
low |
-
Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment.
Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives,
it can be exempted from the rule.
|
|
|
AWS EventBridge Rule Disabled or Deleted
|
Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.
More details
Rule ID
aws_27
Query
{'selection1': {'eventSource': 'eventbridge.amazonaws.com'}, 'selection2': {'eventName': ['DeleteRule', 'DisableRule']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0040, T1489
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/10/17 |
low |
-
EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by
unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the
rule.
|
|
|
AWS CloudWatch Alarm Deletion
|
Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.
More details
Rule ID
aws_28
Query
{'selection1': {'eventSource': 'monitoring.amazonaws.com'}, 'selection2': {'eventName': 'DeleteAlarms'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/06/15 |
medium |
-
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm
deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can
be exempted from the rule.
|
|
|
AWS Configuration Recorder Stopped
|
Identifies an AWS configuration change to stop recording a designated set of resources.
More details
Rule ID
aws_39
Query
{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': 'StopConfigurationRecorder'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
75
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/06/16 |
high |
-
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false
positives, it can be exempted from the rule.
|
|
|
AWS Config Resource Deletion
|
Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.
More details
Rule ID
aws_41
Query
{'selection1': {'eventSource': 'config.amazonaws.com'}, 'selection2': {'eventName': ['DeleteConfigRule', 'DeleteOrganizationConfigRule', 'DeleteConfigurationAggregator', 'DeleteConfigurationRecorder', 'DeleteConformancePack', 'DeleteOrganizationConformancePack', 'DeleteDeliveryChannel', 'DeleteRemediationConfiguration', 'DeleteRetentionConfiguration']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/06/26 |
low |
-
Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order
to align with local security policies and requirements. Automation, orchestration, and security tools may also make
changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds
of user or service contexts do not commonly make changes to this service.
|
|
|
AWS STS GetSessionToken Abuse
|
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
More details
Rule ID
aws_43
Query
{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'GetSessionToken'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection1 and selection2 and selection3'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0004, T1548, TA0008, T1550
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/05/17 |
low |
-
GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS WAF Rule or Rule Group Deletion
|
Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.
More details
Rule ID
aws_46
Query
{'selection1': {'eventSource': ['waf.amazonaws.com', 'waf-regional.amazonaws.com', 'wafv2.amazonaws.com']}, 'selection2': {'eventName': ['DeleteRule', 'DeleteRuleGroup']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/06/09 |
medium |
-
WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS ElastiCache Security Group Modified or Deleted
|
Identifies when an ElastiCache security group has been modified or deleted.
More details
Rule ID
aws_47
Query
{'selection1': {'eventSource': 'elasticache.amazonaws.com'}, 'selection2': {'eventName': ['Delete Cache Security Group', 'Authorize Cache Security Group Ingress', 'Revoke Cache Security Group Ingress', 'AuthorizeCacheSecurityGroupEgress', 'RevokeCacheSecurityGroupEgress']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/07/19 |
low |
-
A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
|
|
|
AWS WAF Access Control List Deletion
|
Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.
More details
Rule ID
aws_49
Query
{'selection1': {'eventSource': 'waf.amazonaws.com'}, 'selection2': {'eventName': 'DeleteWebACL'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/05/21 |
medium |
-
Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS CloudWatch Log Stream Deletion
|
Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.
More details
Rule ID
aws_52
Query
{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogStream'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562, TA0040, T1485
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/05/20 |
medium |
-
A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS SAML Activity
|
Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.
More details
Rule ID
aws_53
Query
{'selection1': {'eventSource': 'iam.amazonaws.com', 'eventName': 'AssumeRoleWithSAML'}, 'selection2': {'eventSource': 'sts.amazonaws.com', 'eventName': 'UpdateSAMLProvider'}, 'condition': 'selection1 or selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0001, T1078, TA0005, T1550
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/09/22 |
low |
-
SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS CloudWatch Log Group Deletion
|
Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.
More details
Rule ID
aws_55
Query
{'selection1': {'eventSource': 'logs.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogGroup'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1562, TA0040, T1485
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2020/05/18 |
medium |
-
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log
group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives,
it can be exempted from the rule.
|
|
|
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
|
Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.
More details
Rule ID
aws_56
Query
{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': ['DisableKey', 'ScheduleKeyDeletion']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0040, T1485
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2022/09/21 |
medium |
-
A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the
user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar
users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS Redshift Cluster Creation
|
Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.
More details
Rule ID
aws_61
Query
{'selection1': {'eventSource': 'redshift.amazonaws.com'}, 'selection2': {'eventName': 'CreateCluster'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0003, T1078
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2022/04/12 |
low |
-
Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS EFS File System or Mount Deleted
|
Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.
More details
Rule ID
aws_67
Query
{'selection1': {'eventSource': 'elasticfilesystem.amazonaws.com'}, 'selection2': {'eventName': ['DeleteMountTarget', 'DeleteFileSystem']}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0040, T1485
References
N/A
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/08/27 |
medium |
-
File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity,
user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar
users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
|
AWS Security Token Service (STS) AssumeRole Usage
|
Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
More details
Rule ID
aws_70
Query
{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumedRole'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0004, T1548, TA0008, T1550
References
N/A
Severity
25
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021/05/17 |
low |
|
|
|
AWS Lambda UpdateFunctionCode
|
This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, further access into AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the function is triggered.
More details
Rule ID
aws_89
Query
{'selection2': {'eventSource': 'lambda.amazonaws.com'}, 'selection3': {'eventName': 'UpdateFunctionCode*'}, 'selection4': {'errorCode': 'success'}, 'selection5': {'userIdentity_type': 'IAMUser'}, 'condition': 'selection2 and selection3 and selection4 and selection5'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0002, T1204
References
Severity
70
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2022-02-24 |
medium |
|
|
|
AWS ECR Container Scanning Findings
|
This search looks for AWS CloudTrail events from AWS Elastic Container Registry (ECR) Service.
More details
Rule ID
aws_90
Query
{'selection2': {'eventSource': 'ecr.amazonaws.com'}, 'selection3': {'eventName': 'DescribeImageScanFindings'}, 'condition': 'selection2 and selection3'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0002, T1204
References
Severity
10
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2022-08-25 |
medium |
|
|
|
AWS SAML Access by Provider User and Principal
|
This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. It also provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.
More details
Rule ID
aws_111
Query
{'selection1': {'eventSource': 'sts.amazonaws.com'}, 'selection2': {'eventName': 'AssumeRoleWithSAML'}, 'condition': 'selection1 and selection2'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0005, T1078
References
Severity
80
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021-01-26 |
medium |
-
Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.
|
|
|
KMS Keys Creation
|
This search provides detection of KMS Keys Creation
More details
Rule ID
aws_118
Query
{'selection1': {'eventSource': 'kms.amazonaws.com'}, 'selection2': {'eventName': 'CreateKey'}, 'selection3': {'eventName': 'PutKeyPolicy'}, 'condition': 'selection1 and (selection2 or selection3)'}
Log Source
Stellar Cyber
AWS configured.
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
TA0040, T1486
References
Severity
50
Suppression Logic Based On
- service_id
- aws.eventSource
- aws.eventName
- stellar.rule_id
Additional Information
| Maturity |
Creation Date |
Risk Level |
False Positives |
| production |
2021-01-11 |
medium |
|
|
