Potential Backup Enumeration on AWS

calendar Apr 21, 2023 · attack.discovery attack.t1580  ·
Share on: linkedin copy

Detects potential enumeration activity targeting an AWS instance backups

Sigma rule (View on GitHub)

 1title: Potential Backup Enumeration on AWS
 2id: 76255e09-755e-4675-8b6b-dbce9842cd2a
 3status: unsupported
 4description: Detects potential enumeration activity targeting an AWS instance backups
 5references:
 6    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 7author: Janantha Marasinghe
 8date: 2022/12/13
 9modified: 2023/03/24
10tags:
11    - attack.discovery
12    - attack.t1580
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'ec2.amazonaws.com'
19        eventName:
20            - 'GetPasswordData'
21            - 'GetEbsEncryptionByDefault'
22            - 'GetEbsDefaultKmsKeyId'
23            - 'GetBucketReplication'
24            - 'DescribeVolumes'
25            - 'DescribeVolumesModifications'
26            - 'DescribeSnapshotAttribute'
27            - 'DescribeSnapshotTierStatus'
28            - 'DescribeImages'
29    timeframe: 10m
30    condition: selection | count() > 5
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top