AWS Macie Evasion
Detects evade to Macie detection.
Sigma rule (View on GitHub)
1title: AWS Macie Evasion
2id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
3status: unsupported
4description: Detects evade to Macie detection.
5references:
6 - https://docs.aws.amazon.com/cli/latest/reference/macie/
7author: Sittikorn S
8date: 2021/07/06
9modified: 2023/03/24
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventName:
19 - 'ArchiveFindings'
20 - 'CreateFindingsFilter'
21 - 'DeleteMember'
22 - 'DisassociateFromMasterAccount'
23 - 'DisassociateMember'
24 - 'DisableMacie'
25 - 'DisableOrganizationAdminAccount'
26 - 'UpdateFindingsFilter'
27 - 'UpdateMacieSession'
28 - 'UpdateMemberSession'
29 - 'UpdateClassificationJob'
30 timeframe: 10m
31 condition: selection | count() by sourceIPAddress > 5
32fields:
33 - sourceIPAddress
34 - userIdentity.arn
35falsepositives:
36 - System or Network administrator behaviors
37level: medium
References
Related rules
- Powershell MS Defender Tampering - ScriptBlockLogging
- Tampering of Windows Defender with Reg
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- Defense evasion via process reimaging