AWS Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2024-10-17
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-10-22
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2024-10-22
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-10-17
ASL AWS Concurrent Sessions From Different Ips		Browser Session Hijacking	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail		Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group		Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Impair Security Services		Disable or Modify Cloud Logs Impair Defenses	Hunting	AWS Defense Evasion	2024-10-17
ASL AWS Defense Evasion Stop Logging Cloudtrail		Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Update Cloudtrail		Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
ASL AWS ECR Container Upload Outside Business Hours		Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
ASL AWS ECR Container Upload Unknown User		Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
ASL AWS IAM Delete Policy		Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-10-17
ASL AWS IAM Failure Group Deletion		Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-10-22
ASL AWS IAM Successful Group Deletion		Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
ASL AWS Multi-Factor Authentication Disabled		Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
ASL AWS New MFA Method Registered For User		Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-10-17
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	Browser Session Hijacking	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Console Login Failed During MFA Challenge	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS CreateAccessKey	AWS CloudTrail CreateAccessKey	Cloud Account Create Account	Hunting	AWS IAM Privilege Escalation	2024-10-17
AWS CreateLoginProfile	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile	Cloud Account Create Account	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS Credential Access Failed Login	AWS CloudTrail	Compromise Accounts Cloud Accounts Brute Force Password Guessing	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Credential Access GetPasswordData	AWS CloudTrail GetPasswordData	Compromise Accounts Cloud Accounts Brute Force Password Guessing	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Credential Access RDS Password reset	AWS CloudTrail ModifyDBInstance	Compromise Accounts Cloud Accounts Brute Force	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Cross Account Activity From Previously Unseen Account	AWS CloudTrail	N/A	Anomaly	Suspicious Cloud Authentication Activities	2024-10-17
AWS Defense Evasion Delete Cloudtrail	AWS CloudTrail DeleteTrail	Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group	AWS CloudTrail DeleteLogGroup	Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Impair Security Services	AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL	Disable or Modify Cloud Logs Impair Defenses	Hunting	AWS Defense Evasion	2024-10-17
AWS Defense Evasion PutBucketLifecycle	AWS CloudTrail PutBucketLifecycle	Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction	Hunting	AWS Defense Evasion	2024-10-17
AWS Defense Evasion Stop Logging Cloudtrail	AWS CloudTrail StopLogging	Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Update Cloudtrail	AWS CloudTrail UpdateTrail	Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
aws detect attach to role policy		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect permanent key creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect role creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect sts assume role abuse		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect sts get session token abuse		Use Alternate Authentication Material	Hunting	AWS Cross Account Activity	2024-10-17
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy	Data Encrypted for Impact	TTP	Ransomware Cloud	2024-09-30
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	Data Encrypted for Impact	Anomaly	Ransomware Cloud	2024-09-30
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	Inhibit System Recovery	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS ECR Container Scanning Findings High	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	TTP	Dev Sec Ops	2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Scanning Findings Medium	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Upload Outside Business Hours	AWS CloudTrail PutImage	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Upload Unknown User	AWS CloudTrail PutImage	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS Excessive Security Scanning	AWS CloudTrail	Cloud Service Discovery	TTP	AWS User Monitoring	2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	Automated Collection	Anomaly	Data Exfiltration	2024-09-30
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	Automated Collection	TTP	Data Exfiltration	2024-09-30
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	Automated Collection	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	Password Policy Discovery	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS High Number Of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	Cloud Infrastructure Discovery	Anomaly	Suspicious Cloud User Activities	2024-09-30
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	Cloud Infrastructure Discovery Brute Force	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-10-17
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-10-22
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
AWS Lambda UpdateFunctionCode	AWS CloudTrail	User Execution	Hunting	Suspicious Cloud User Activities	2024-10-22
AWS Multi-Factor Authentication Disabled	AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Multiple Failed MFA Requests For User	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Multiple Users Failing To Authenticate From Ip	AWS CloudTrail ConsoleLogin	Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-10-16
AWS Network Access Control List Created with All Open Ports	AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	Disable or Modify Cloud Firewall Impair Defenses	TTP	AWS Network ACL Activity	2024-09-30
AWS Network Access Control List Deleted	AWS CloudTrail DeleteNetworkAclEntry	Disable or Modify Cloud Firewall Impair Defenses	Anomaly	AWS Network ACL Activity	2024-09-30
AWS New MFA Method Registered For User	AWS CloudTrail CreateVirtualMFADevice	Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Password Policy Changes	AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
AWS S3 Exfiltration Behavior Identified		Transfer Data to Cloud Account	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	Valid Accounts	Anomaly	Cloud Federated Credential Abuse	2024-09-30
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	Valid Accounts	TTP	Cloud Federated Credential Abuse	2024-09-30
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS Successful Console Authentication From Multiple IPs	AWS CloudTrail ConsoleLogin	Compromise Accounts Unused/Unsupported Cloud Regions	Anomaly	Compromised User Account, Suspicious AWS Login Activities	2024-09-30
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Unusual Number of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS UpdateLoginProfile	AWS CloudTrail UpdateLoginProfile	Cloud Account Create Account	TTP	AWS IAM Privilege Escalation	2024-09-30
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-10-17
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created In Previously Unused Region	AWS CloudTrail	Unused/Unsupported Cloud Regions	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created With Previously Unseen Image	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-10-17
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Security Groups Modifications by User	AWS CloudTrail	Modify Cloud Compute Configurations	Anomaly	Suspicious Cloud User Activities	2024-09-30
Detect AWS Console Login by New User	AWS CloudTrail	Compromise Accounts Cloud Accounts Unsecured Credentials	Hunting	AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New City	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New Country	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New Region	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect New Open S3 buckets	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect Spike in AWS Security Hub Alerts for EC2 Instance	AWS Security Hub	N/A	Anomaly	AWS Security Hub Alerts, Critical Alerts	2024-10-09
Detect Spike in AWS Security Hub Alerts for User	AWS Security Hub	N/A	Anomaly	AWS Security Hub Alerts, Critical Alerts	2024-10-09
Detect Spike in blocked Outbound Traffic from your AWS		N/A	Anomaly	AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic	2024-10-17
Detect Spike in S3 Bucket deletion	AWS CloudTrail	Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
Abnormally High AWS Instances Launched by User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Launched by User - MLTK		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Terminated by User		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-10-17
ASL AWS CreateAccessKey		Valid Accounts	Hunting	AWS IAM Privilege Escalation	2024-10-17
ASL AWS Excessive Security Scanning		Cloud Service Discovery	Anomaly	AWS User Monitoring	2024-10-17
ASL AWS Password Policy Changes		Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
AWS Cloud Provisioning From Previously Unseen City		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen Country		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address		N/A	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen Region		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
Detect AWS API Activities From Unapproved Accounts		Cloud Accounts	Hunting	AWS User Monitoring	2024-10-17
Detect new user AWS Console Login		Cloud Accounts	Hunting	Suspicious AWS Login Activities	2024-10-17
Detect Spike in AWS API Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-30
Internal Horizontal Port Scan NMAP Top 20	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-25
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-30