AWS EFS Fileshare Mount Modified or Deleted
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
Sigma rule (View on GitHub)
1title: AWS EFS Fileshare Mount Modified or Deleted
2id: 6a7ba45c-63d8-473e-9736-2eaabff79964
3status: test
4description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
5references:
6 - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
7author: Austin Songer @austinsonger
8date: 2021/08/15
9modified: 2022/10/09
10tags:
11 - attack.impact
12 - attack.t1485
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: elasticfilesystem.amazonaws.com
19 eventName: DeleteMountTarget
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- AWS EKS Cluster Created or Deleted
- Azure Device or Configuration Modified or Deleted
- Microsoft 365 - Unusual Volume of File Deletion
- Fsutil Suspicious Invocation
- Potential BlackByte Ransomware Activity