AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Sigma rule (View on GitHub)
1title: AWS GuardDuty Important Change
2id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
3status: test
4description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
5references:
6 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
7author: faloker
8date: 2020-02-11
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: guardduty.amazonaws.com
19 eventName: CreateIPSet
20 condition: selection_source
21falsepositives:
22 - Valid change in the GuardDuty (e.g. to ignore internal scanners)
23level: high
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- Add SafeBoot Keys Via Reg Utility
- Azure Kubernetes Events Deleted