AWS EFS Fileshare Modified or Deleted
Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
Sigma rule (View on GitHub)
1title: AWS EFS Fileshare Modified or Deleted
2id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
3status: test
4description: |
5 Detects when a EFS Fileshare is modified or deleted.
6 You can't delete a file system that is in use.
7 If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
8references:
9 - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
10author: Austin Songer @austinsonger
11date: 2021-08-15
12modified: 2022-10-09
13tags:
14 - attack.impact
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: elasticfilesystem.amazonaws.com
21 eventName: DeleteFileSystem
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
Deletes a file system, permanently severing access to its contents. Upon return, the file system no longer exists and you can't access any contents of the deleted file system.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted