1. This repo would contain all 17 AWS attack related scenarios present there at soc-labs
2. More fine tuning (like adding time based threshold) of the Sigma rules will be done soon too. link
- Stratus Red Team by @datadoghq Attack Simulation Detection.
- Hacking The Cloud - AWS by @HackingthCloud Attack Simulation Detection.
- cloudgoat by @RhinoSecurity Attack Simulation Detection.
- Permiso Security Blogs Attack Simulation Detection.
Usage of quotation is really important while creating detection based on AWS API calls.
See this example: no. 17
| no. | Scenario | Objective | Detection Query (Sigma) |
|---|---|---|---|
| 1. | AWS Delete DNS query logs | Detect the deletion of Route 53 DNS resolver query logs in AWS environments | link |
| 2. | AWS EC2 Windows Instance Password Data Retrieval | Write detection rules to identify password data retrieval activities targeting Windows EC2 instances in an AWS environment, with a focus on ec2:GetPasswordData API call events. |
link |
| 3. | EC2 Credential Exfiltration – EC2 Account Credentials Used by Another AWS Account | Identify all API operations initiated with EC2 instance credentials where the credential’s originating account does not match the account where the API call occurs. | link |
| 4. | Retrieving a High Number of AWS Secrets Manager Secrets | Write detection rules to identify abnormal Secrets Manager secret retrieval activities. Focus on suspicious behavior patterns related to Secrets Manager. | link |
| 5. | Retrieve And Decrypt SSM Parameters | Write detection rules to identify suspicious bulk decryption of SecureString parameters. When a request sets the withDecryption parameter to true, it indicates an attempt to retrieve parameter plaintext. Focus on operations that decrypt multiple SecureString parameters within a short time window to identify potential sensitive information leakage risks. |
link |
| 6. | AWS Deletes a trail | Write detection rules based on logs to identify API calls that delete a Trail. | link |
| 7. | Disabling Management Event Logging via Event Selector | Write a detection rule to identify calls to the PutEventSelectors API. |
link |
| 8. | CloudTrail Logs Impairment Through S3 Lifecycle Rule | Write a rule to identify log entries where the S3 bucket lifecycle policy is set to 1 day. | link |
| 9. | Stop CloudTrail Trail | Detect events where CloudTrail logging has been stopped. | link |
| 10. | AWS Remove VPC Flow Logs | Detect API calls that delete VPC Flow Log configurations and identify key operational events that may disrupt network traffic monitoring. | link |
| 11. | Download EC2 Instance User Data | Write detection rules to identify behavior where EC2 instance user data is accessed via APIs, with particular attention to abnormal operations involving multiple user data retrievals within a short time frame. | link |
| 12. | Enumerate SES Information Activities | Develop detection rules to identify SES enumeration activities | link |
| 13. | Bulk Remote Sessions Across Multiple Instances via SSM StartSession | Write a detection rule to identify bulk SSM StartSession requests targeting multiple EC2 instances within a short timeframe. | link |
| 14. | AWS Security Group Public Exposure of SSH Port 22 | Write a detection rule to identify instances where the AuthorizeSecurityGroupIngress CloudTrail event is used to allow access to security group port 22 from unknown external IPs or from 0.0.0.0/0. | link |
| 15. | Data Theft via Shared AMI | Write detection rules to identify behaviors where AMIs are shared with other accounts. | link |
| 16. | Data Theft via Shared S3 Buckets | Write detection rules to identify suspicious authorization actions targeting S3 bucket policies. | link |
| 17. | AWS IAM User Logged into Console Without MFA | Write a detection rule to identify IAM user login events to the AWS Console that occurred without MFA. | link |