AWS Detections

Name Data Source Technique Type Analytic Story Date
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
ASL AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Update Cloudtrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS ECR Container Upload Outside Business Hours Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
ASL AWS ECR Container Upload Unknown User Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
ASL AWS IAM Delete Policy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
ASL AWS New MFA Method Registered For User Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS AMI Attribute Modification for Exfiltration AWS CloudTrail ModifyImageAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS Concurrent Sessions From Different Ips AWS CloudTrail DescribeEventAggregates Browser Session Hijacking TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS CreateAccessKey AWS CloudTrail CreateAccessKey Cloud Account Create Account Hunting AWS IAM Privilege Escalation 2024-10-17
AWS CreateLoginProfile AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
AWS Credential Access Failed Login AWS CloudTrail Compromise Accounts Cloud Accounts Brute Force Password Guessing TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData Compromise Accounts Cloud Accounts Brute Force Password Guessing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance Compromise Accounts Cloud Accounts Brute Force TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Cross Account Activity From Previously Unseen Account AWS CloudTrail N/A Anomaly Suspicious Cloud Authentication Activities 2024-10-17
AWS Defense Evasion Delete Cloudtrail AWS CloudTrail DeleteTrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group AWS CloudTrail DeleteLogGroup Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Impair Security Services AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS CloudTrail PutBucketLifecycle Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion Stop Logging Cloudtrail AWS CloudTrail StopLogging Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Update Cloudtrail AWS CloudTrail UpdateTrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts get session token abuse Use Alternate Authentication Material Hunting AWS Cross Account Activity 2024-10-17
AWS Detect Users creating keys with encrypt policy without MFA AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy Data Encrypted for Impact TTP Ransomware Cloud 2024-09-30
AWS Detect Users with KMS keys performing encryption S3 AWS CloudTrail Data Encrypted for Impact Anomaly Ransomware Cloud 2024-09-30
AWS Disable Bucket Versioning AWS CloudTrail PutBucketVersioning Inhibit System Recovery Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS EC2 Snapshot Shared Externally AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS ECR Container Scanning Findings High AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution TTP Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Medium AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Outside Business Hours AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Unknown User AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS Excessive Security Scanning AWS CloudTrail Cloud Service Discovery TTP AWS User Monitoring 2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity AWS CloudTrail GetObject Automated Collection Anomaly Data Exfiltration 2024-09-30
AWS Exfiltration via Batch Service AWS CloudTrail JobCreated Automated Collection TTP Data Exfiltration 2024-09-30
AWS Exfiltration via Bucket Replication AWS CloudTrail PutBucketReplication Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via DataSync Task AWS CloudTrail CreateTask Automated Collection TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via EC2 Snapshot AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS High Number Of Failed Authentications For User AWS CloudTrail ConsoleLogin Password Policy Discovery Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS High Number Of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM AccessDenied Discovery Events AWS CloudTrail Cloud Infrastructure Discovery Anomaly Suspicious Cloud User Activities 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS CloudTrail Cloud Infrastructure Discovery Brute Force TTP AWS IAM Privilege Escalation 2024-09-30
AWS IAM Delete Policy AWS CloudTrail DeletePolicy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Lambda UpdateFunctionCode AWS CloudTrail User Execution Hunting Suspicious Cloud User Activities 2024-10-22
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Users Failing To Authenticate From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-10-16
AWS Network Access Control List Created with All Open Ports AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses TTP AWS Network ACL Activity 2024-09-30
AWS Network Access Control List Deleted AWS CloudTrail DeleteNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses Anomaly AWS Network ACL Activity 2024-09-30
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Password Policy Changes AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin Compromise Accounts Unused/Unsupported Cloud Regions Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS UpdateLoginProfile AWS CloudTrail UpdateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created In Previously Unused Region AWS CloudTrail Unused/Unsupported Cloud Regions Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Image AWS CloudTrail N/A Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type AWS CloudTrail N/A Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Security Groups Modifications by User AWS CloudTrail Modify Cloud Compute Configurations Anomaly Suspicious Cloud User Activities 2024-09-30
Detect AWS Console Login by New User AWS CloudTrail Compromise Accounts Cloud Accounts Unsecured Credentials Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New City AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect New Open S3 buckets AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect New Open S3 Buckets over AWS CLI AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect Spike in AWS Security Hub Alerts for EC2 Instance AWS Security Hub N/A Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in AWS Security Hub Alerts for User AWS Security Hub N/A Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in blocked Outbound Traffic from your AWS N/A Anomaly AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic 2024-10-17
Detect Spike in S3 Bucket deletion AWS CloudTrail Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS Excessive Security Scanning Cloud Service Discovery Anomaly AWS User Monitoring 2024-10-17
ASL AWS Password Policy Changes Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address N/A Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30
Internal Horizontal Port Scan NMAP Top 20 AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-25
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30