-
Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.
Read More -
AWS EC2 Multi-Region DescribeInstances API Calls
Identifies when a single AWS resource is making
DescribeInstances
API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
Read More -
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
AttachGroupPolicy
API operation to attach the highly permissiveAdministratorAccess
AWS managed policy to an existing IAM user group.
Read More -
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM
AttachRolePolicy
API operation to attach the highly permissiveAdministratorAccess
AWS managed policy to an existing IAM role.
Read More -
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM
AttachUserPolicy
API operation to attach the highly permissiveAdministratorAccess
AWS managed policy to an existing IAM user.
Read More -
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM
CreateAccessKey
API operation to create new programmatic access keys for another IAM user.
Read More -
Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.
Read More -
Identifies
CopyObject
events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.
Read More -
Identifies when a single AWS resource is making
GetServiceQuota
API calls for the EC2 service quota L-1216C47A in more than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
Read More -
Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.
Read More -
Potential AWS S3 Bucket Ransomware Note Uploaded
Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the
PutObject
S3 API call with a common ransomware note file extension such as.ransom
, or.lock
. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
Read More -
Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.
Read More -
An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS
GetCallerIdentity
API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.
Read More -
Identifies the first occurrence of an AWS Security Token Service (STS)
GetFederationToken
request made by a user within the last 10 days. TheGetFederationToken
API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.
Read More -
Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.
Read More -
Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation.
Read More -
AWS S3 Object Versioning Suspended
Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.
Read More -
This rule looks for use of the IAM
AttachUserPolicy
API operation to attach theCompromisedKeyQuarantine
orCompromisedKeyQuarantineV2
AWS managed policies to an existing IAM user. This policy denies access to certain actions and is applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly.
Read More -
This rule detects the first time a principal calls AWS Cloudwatch
CreateStack
orCreateStackSet
API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.
Read More -
Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful
ConsoleLogin
orGetSigninToken
API call.
Read More -
Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance.
Read More -
Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This action could indicate an adversary attempting to maintain access to the instance. The rule also detects the
SendSerialConsoleSSHPublicKey
API action, which could be used for privilege escalation if the serial console is enabled. Monitoring these activities helps ensure unauthorized access attempts are detected and mitigated promptly.
Read More -
Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.
Read More -
Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.
Read More -
Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for the
AddPermission
API call with thePrincipal
set to*
which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code.
Read More -
AWS Lambda Layer Added to Existing Function
Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function.
Read More -
Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
Read More -
AWS S3 Bucket Policy Added to Share with External Account
Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the
PutBucketPolicy
API call where the policy includes anEffect=Allow
statement that does not contain the AWS account ID of the bucket owner.
Read More -
Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
withDecryption
parameter set to true. This is a NewTerms rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.
Read More -
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a secret value from Secrets Manager using the
GetSecretValue
orBatchGetSecretValue
actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.
Read More -
Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.
Read More -
This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the
GetSecretValue
orBatchGetSecretValue
API actions.
Read More -
Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource.
Read More -
Identifies when the
PutBucketReplication
operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.
Read More -
Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record of requests made to an S3 bucket. When server access logging is disabled for a bucket, it could indicate an adversary's attempt to impair defenses by disabling logs that contain evidence of malicious activity.
Read More -
Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls.
Read More -
Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment.
Read More -
Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation.
Read More -
Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.
Read More -
AWS RDS Snapshot Deleted
Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot.
Read More -
An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS
RestoreDBInstanceFromDBSnapshot
orRestoreDBInstanceFromS3
API operations.
Read More -
A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
Read More -
A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.
Read More -
A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.
Read More -
A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Read More -
A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).
Read More -
AWS CloudTrail Log Created
Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.
Read More -
Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.
Read More -
Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.
Read More -
Identifies an update to an AWS log trail setting that specifies the delivery of log files.
Read More -
AWS CloudWatch Alarm Deletion
Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.
Read More -
Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.
Read More -
Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.
Read More -
AWS Config Resource Deletion
Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.
Read More -
AWS Deletion of RDS Instance or Cluster
Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.
Read More -
Identifies the first occurrence of a user identity in AWS using
GetPassword
for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.
Read More -
AWS EC2 Encryption Disabled
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.
Read More -
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.
Read More -
Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.
Read More -
AWS EC2 Network Access Control List Deletion
Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.
Read More -
An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.
Read More -
AWS EC2 VM Export Failure
Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.
Read More -
AWS EFS File System or Mount Deleted
Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.
Read More -
AWS EventBridge Rule Disabled or Deleted
Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.
Read More -
Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.
Read More -
AWS GuardDuty Detector Deletion
Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Read More -
Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.
Read More -
Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.
Read More -
AWS IAM Deactivation of MFA Device
Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.
Read More -
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.
Read More -
AWS IAM Group Deletion
Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.
Read More -
Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.
Read More -
Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).
Read More -
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.
Read More -
AWS Management Console Brute Force of Root User Identity
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
Read More -
AWS RDS Cluster Creation
Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.
Read More -
AWS RDS Instance Creation
Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.
Read More -
AWS RDS Instance/Cluster Stoppage
Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.
Read More -
AWS RDS Snapshot Export
Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.
Read More -
Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.
Read More -
Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.
Read More -
Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
Read More -
Identifies when a request has been made to transfer a Route 53 domain to another AWS account.
Read More -
AWS S3 Bucket Configuration Deletion
Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.
Read More -
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Read More -
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Read More -
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.
Read More -
AWS WAF Access Control List Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.
Read More -
AWS WAF Rule or Rule Group Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.
Read More -
EC2 AMI Shared with Another Account
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
Read More -
Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks.
Read More