Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-10-17
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-10-22
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-10-22
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-10-17
|
ASL AWS Concurrent Sessions From Different Ips
|
|
Browser Session Hijacking
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
ASL AWS Defense Evasion Delete Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
ASL AWS Defense Evasion Impair Security Services
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-10-17
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
ASL AWS Defense Evasion Update Cloudtrail
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
ASL AWS ECR Container Upload Outside Business Hours
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
ASL AWS ECR Container Upload Unknown User
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
ASL AWS IAM Delete Policy
|
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
ASL AWS IAM Failure Group Deletion
|
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-10-22
|
ASL AWS IAM Successful Group Deletion
|
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
ASL AWS Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
ASL AWS New MFA Method Registered For User
|
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-10-17
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-09-30
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
Browser Session Hijacking
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
Cloud Account
Create Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS Credential Access Failed Login
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Compromise Accounts
Cloud Accounts
Brute Force
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Cross Account Activity From Previously Unseen Account
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Suspicious Cloud Authentication Activities
|
2024-10-17
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-10-17
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Disable or Modify Cloud Logs
Impair Defenses
Lifecycle-Triggered Deletion
Data Destruction
|
Hunting
|
AWS Defense Evasion
|
2024-10-17
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-09-30
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
Data Encrypted for Impact
|
TTP
|
Ransomware Cloud
|
2024-09-30
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
Data Encrypted for Impact
|
Anomaly
|
Ransomware Cloud
|
2024-09-30
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
Inhibit System Recovery
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-09-30
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-09-30
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
TTP
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
Cloud Service Discovery
|
TTP
|
AWS User Monitoring
|
2024-09-30
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
Automated Collection
|
Anomaly
|
Data Exfiltration
|
2024-09-30
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
Automated Collection
|
TTP
|
Data Exfiltration
|
2024-09-30
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-09-30
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
Automated Collection
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-09-30
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-09-30
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
Password Policy Discovery
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-09-30
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-10-22
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-10-16
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
AWS Network ACL Activity
|
2024-09-30
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
Anomaly
|
AWS Network ACL Activity
|
2024-09-30
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-10-17
|
AWS S3 Exfiltration Behavior Identified
|
|
Transfer Data to Cloud Account
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-09-30
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-09-30
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-09-30
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-09-30
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-10-17
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-10-17
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2024-10-17
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-10-17
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-10-17
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-10-17
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-09-30
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unsecured Credentials
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2024-10-17
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-09-30
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-09-30
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2024-10-09
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2024-10-09
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
N/A
|
Anomaly
|
AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic
|
2024-10-17
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-10-17
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
ASL AWS Excessive Security Scanning
|
|
Cloud Service Discovery
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
ASL AWS Password Policy Changes
|
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen City
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen Country
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen IP Address
|
|
N/A
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-10-17
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-10-17
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-25
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|