- Created by Juan Tomás Alonso Nieto (Deactivated) , last modified by Former user on Sept 07, 2023
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 20 Current »
Amazon Web Services (AWS) is one of the largest cloud providers out there and as such requires organizations to protect themselves with cloud security monitoring.
SciSec’s content contains dozens of AWS detections so your organization can monitor your AWS infrastructure, look for areas of risk, or help respond to threats as they emerge. The detections are for AWS products and services Cloudtrail, Cloudwatch, and VPC.
The DescribePermissions event retrieves a description about permissions for a specified stack. This could be used by an attacker to collect information for further attacks.
Source table → cloud.aws.cloudtrail
Detects actions that update SAML the provider configuration
Source table → cloud.aws.cloudtrail
This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider
Source table → cloud.aws.cloudtrail
It was detected that a permission boundary has been lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.
Source table → cloud.aws.cloudtrail
The Describe permissions event retrieves a description of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.
Source table → cloud.aws.cloudtrail
It was detected that a policy had been attached to a group. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.
Source table → cloud.aws.cloudtrail
A trail within the Cloudtrail service has been deleted. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.
Source table → cloud.aws.cloudtrail
Upload of a new ECR container was performed outside normal business hours. This is during weekend or between 20:00 and 8:00
Source table → cloud.aws.cloudtrail
Creation of a KMS key with action kms:Encrypt is available for everyone. This could be a compromised account indicator.
Source table → cloud.aws.cloudtrail
Detects any actions observed that create, import, or delete access keys to EC2.
Source table → cloud.aws.cloudtrail
This search looks for Collective Defense matches in AWS data.
Source table → cloud.aws.cloudtrail
Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt.
Source table → cloud.aws.cloudtrail
It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.
Source table → cloud.aws.cloudtrail
Actions observed as blocked for sending large amounts of data from AWS out to the internet.
Source table → vpc.aws.flow
This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.
Source table → cloud.aws.cloudtrail
Multiple failed login attempts from the same user were detected. This could indicate an attacker could be trying to brute force access to that specific user account.
Source table → cloud.aws.cloudtrail
Detects possible large file being moved via AWS VPC logs.
Source table → vpc.aws.flow
A Permission Boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.
Source table → cloud.aws.cloudtrail
A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.
Source table → cloud.aws.cloudtrail
Suspicious use of "AssumedRole". This type of tokens could be used by an attacker in order perform privilege escalation or lateral movements.
Source table → cloud.aws.cloudtrail
Detection of events with errorCode "MalformedPolicyDocumentException". A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced.
Source table → cloud.aws.cloudtrail
Detects actions taken to create new IAM roles in AWS
Source table → cloud.aws.cloudtrail
This alert checks filters by events where the errorCode AccessDenied is present and groups each 5 minutes by user arn and aws account.
Source table → cloud.aws.cloudtrail
A successful root account login was detected. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.
Source table → cloud.aws.cloudtrail
Any modification action performed against the AWS Secrets Administrative service should be reviewd. This could be an indicator of suspicious activity being carried out by a hostile entity.
Source table → cloud.aws.cloudtrail
Analytical detection of a reconnaissance type behavior from AWS CloudTrail logs.
Source table → cloud.aws.cloudtrail
This alert filters PutBucketAcl cloudtrail events that come from the S3 service. The alert then extracts each URI and Permission pair from the raw event message. The alert then checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and if the permission is READ, READ_ACP, WRITE, WRITE_ACP, or FULL_CONTROL. The alert will trigger if any of these pairs meet both criteria. This alert will only extract the first five permissions and URIs of a message.
Source table → cloud.aws.cloudtrail
It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.
Source table → cloud.aws.cloudtrail
An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login.
Source table → cloud.aws.cloudtrail
Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised.
Source table → cloud.aws.cloudtrail
A trail within the Cloudtrail service has been stopped. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.
Source table → cloud.aws.cloudtrail
An action to delete a policy was performed. This should be checked since it could undermine the security configuration of the AWS environment.
Source table → cloud.aws.cloudtrail
A new user was created. This actions should be checked since an attacker could have created this user to gain persistence on the AWS account.
Source table → cloud.aws.cloudtrail
Network ACl was deleted, this could indicate that an attacker is downgrading security access of a network instance
Source table → cloud.aws.cloudtrail
It was detected that a permission boundary has been lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.
Source table → cloud.aws.cloudtrail
This alert filters SetDefaultPolicyVersion cloudtrail events that come from the IAM service. In addition, the errorCode has to be equal to null to avoid false positives.
Source table → cloud.aws.cloudtrail
Detects AWS API activity by users who are not explicitly authorized from an allow list.
Source table → cloud.aws.cloudtrail
Detects STS session tokens, which can be used to move laterally, or escalate, privileges in AWS.
Source table → cloud.aws.cloudtrail
Detects the scheduled deletion of KMS keys.
Source table → cloud.aws.cloudtrail
Detects rare ListQueues event from AWS SQS.
Source table → cloud.aws.cloudtrail
A Permission Boundary has been modified on a role. This could allow to grant all the actions in the permissions of the policies attached to that role.
Source table → cloud.aws.cloudtrail
This alert checks for the CVE-2021-44228 exploit (Log4shell). The query looks for payload patterns associated with Log4shell including payloads in the url, user-agent header, referer header, or POST and PUT HTTP bodies.
Source table → cloud.aws.cloudtrail
Analytics detection about KMS key enable or disable actions.
Source table → cloud.aws.cloudtrail
Scanning from an ECR container detected at least one critical risk finding.
Source table → cloud.aws.cloudtrail
The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.
Source table → cloud.aws.cloudtrail
This detection filters by cloudtrail events with RemoveTags as eventName.
Source table → cloud.aws.cloudtrail
Detects actions taken by users to encrypt S3 buckets using KMS keys.
Source table → cloud.aws.cloudtrail
A large number of actions performed which start with Describe have been performed by a single user. This could indicate this user is trying to enumerate the AWS account.
Source table → cloud.aws.cloudtrail
Detects when a Customer Master Key (CMK) was disabled or scheduled for deletion.
Source table → cloud.aws.cloudtrail
This search looks for AWS CloudTrail events where a user has created a policy version that allows the user to access any resource in their account.
Source table → cloud.aws.cloudtrail
It was detected that a UserPoolClient entity has been created. These type of entities could be used by an attacker to perform unauthenticated API operations.
Source table → cloud.aws.cloudtrail
Detects users uploading new images to AWS Elastic Container Registry (ECR).
Source table → cloud.aws.cloudtrail
Deletion of an IAM group is not a dangerous action by itself, but correlated with other events such as recently user or group creations could indicate that a malicious behaviour.
Source table → cloud.aws.cloudtrail
Detects actions observed that create, import and delete access keys to EC2.
Source table → cloud.aws.cloudtrail
Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.
Source table → cloud.aws.cloudtrail
Scanning from an ECR container detected at least one LOW or UNDEFINED risk finding.
Source table → cloud.aws.cloudtrail
- No labels