forked from quadrantsec/sagan-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-cloudtrail.rules
77 lines (73 loc) · 23.8 KB
/
aws-cloudtrail.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Sagan aws-cloudtrail.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# 10/20/2022
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (AddTags) "; program:cloudtrail.amazonaws.com; json_content:".eventName","AddTags"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008310; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (CancelQuery) "; program:cloudtrail.amazonaws.com; json_content:".eventName","CancelQuery"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008311; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (CreateEventDataStore) "; program:cloudtrail.amazonaws.com; json_content:".eventName","CreateEventDataStore"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008312; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (CreateTrail) "; program:cloudtrail.amazonaws.com; json_content:".eventName","CreateTrail"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008313; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (DeleteEventDataStore) "; program:cloudtrail.amazonaws.com; json_content:".eventName","DeleteEventDataStore"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008314; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (DeleteTrail) "; program:cloudtrail.amazonaws.com; json_content:".eventName","DeleteTrail"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008315; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (DescribeQuery) "; program:cloudtrail.amazonaws.com; json_content:".eventName","DescribeQuery"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008316; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (DescribeTrails) "; program:cloudtrail.amazonaws.com; json_content:".eventName","DescribeTrails"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008317; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetChannel) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetChannel"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008318; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetEventDataStore) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetEventDataStore"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008319; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetEventSelectors) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetEventSelectors"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008320; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetInsightSelectors) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetInsightSelectors"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008321; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetQueryResults) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetQueryResults"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008322; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetTrail) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetTrail"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008323; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (GetTrailStatus) "; program:cloudtrail.amazonaws.com; json_content:".eventName","GetTrailStatus"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008324; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListChannels) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListChannels"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008325; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListEventDataStores) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListEventDataStores"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008326; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListPublicKeys) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListPublicKeys"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008327; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListQueries) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListQueries"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008328; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListTags) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListTags"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008329; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (ListTrails) "; program:cloudtrail.amazonaws.com; json_content:".eventName","ListTrails"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008330; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (LookupEvents) "; program:cloudtrail.amazonaws.com; json_content:".eventName","LookupEvents"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008331; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (PutEventSelectors) "; program:cloudtrail.amazonaws.com; json_content:".eventName","PutEventSelectors"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008332; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (PutInsightSelectors) "; program:cloudtrail.amazonaws.com; json_content:".eventName","PutInsightSelectors"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008333; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (RemoveTags) "; program:cloudtrail.amazonaws.com; json_content:".eventName","RemoveTags"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008334; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (RestoreEventDataStore) "; program:cloudtrail.amazonaws.com; json_content:".eventName","RestoreEventDataStore"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008335; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (StartLogging) "; program:cloudtrail.amazonaws.com; json_content:".eventName","StartLogging"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:system-event; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008336; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (StartQuery) "; program:cloudtrail.amazonaws.com; json_content:".eventName","StartQuery"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008337; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (StopLogging) "; program:cloudtrail.amazonaws.com; json_content:".eventName","StopLogging"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:system-event; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008338; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (UpdateEventDataStore) "; program:cloudtrail.amazonaws.com; json_content:".eventName","UpdateEventDataStore"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008339; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS Cloudtrail event detected (UpdateTrail) "; program:cloudtrail.amazonaws.com; json_content:".eventName","UpdateTrail"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:user-activity; reference:url,docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html; sid:5008340; rev:2; metadata: mitre_technique_id T1005, mitre_technique_id T1078, mitre_technique_id T1530;)
#AWS Ransomware Rules
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] AWS API Discovery Commands"; program:s3.amazonaws.com; meta_content:"eventName|22 3a 20 22|%sagan%",ListBuckets,ListObjects,GetObjects; reference:url,https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; sid:5014179; rev:3; metadata:deployment Endpoint,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag Threat_Hunting, created_at 2023_01_20, updated_at 2024_12_30, mitre_tactic_id TA0007, mitre_technique_id T1082;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] Unrecognized API Delete Calls"; program:*.amazonaws.com; json_meta_content:".eventName",DeleteBucket,DeleteBucketCors,DeleteBucketEncryption,DeleteBucketLifecycle,DeleteBucketPolicy,DeleteBucketReplication,DeleteBucketTagging,DeleteBucketPublickAccessBlock; reference:url,https://github.com/aws-samples/aws-customer-playbook-framework/blob/main/docs/Ransom_Response_S3.md; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:suspicious-activity; sid:5014180; rev:1; metadata:deployment Endpoint,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_01_20, updated_at 2023_01_20, mitre_tactic_id TA0007, mitre_technique_id T1082;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] Multiple REST.COPY.OBJECT_GET Calls"; program:*.amazonaws.com; content:"REST.COPY.OBJECT_GET"; reference:url,https://github.com/aws-samples/aws-customer-playbook-framework/blob/main/docs/Ransom_Response_S3.md; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:suspicious-activity; sid:5014181; rev:1; metadata:deployment Endpoint,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_01_20, updated_at 2023_01_20, mitre_tactic_id TA0007, mitre_technique_id T1082;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-CLOUDTRAIL] Find Metric Keywords"; program:*.amazonaws.com; meta_content:"eventName|22 3a 22|%sagan%|22|",BucketSizeBytes,GetRequests,PutRequests,DeleteRequests,ListRequests,BytesDownloaded; reference:url,https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/; reference:url,https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; sid:5014182; rev:2; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_01_20, updated_at 2024_05_21, mitre_tactic_id TA0007, mitre_technique_id T1082;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-SES] Simple Email Service Discovery Command Event Detected (GetSendQuota)"; program:ses.amazonaws.com; content:"eventName|22 3a 20 22|GetSendQuota"; content:"|3a|role|2f|aws-service-role|2f|"; content:!"|22|userName|22 3a 20 22|DatadogIntegrationRole|22|"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015087; rev:1; metadata:mitre_tactic_id TA0007;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-SES] Simple Email Service Discovery Event Detected (ListVerifiedEmailAddresses)"; program:ses.amazonaws.com; content:"eventName|22 3a 20 22|ListVerifiedEmailAddresses"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015088; rev:1; metadata:mitre_tactic_id TA0007;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-SES] Simple Email Service Discovery Event Detected (GetAccountSendingEnabled)"; program:ses.amazonaws.com; content:"eventName|22 3a 20 22|GetAccountSendingEnabled"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015089; rev:1; metadata:mitre_tactic_id TA0007;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-SES] Simple Email Service Discovery Event Detected (GetAccount)"; program:ses.amazonaws.com; content:"eventName|22 3a 20 22|GetAccount"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015090; rev:1; metadata:mitre_tactic_id TA0007;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-SES] Simple Email Service Discovery Event Detected (ListIdentities)"; program:ses.amazonaws.com; content:"eventName|22 3a 20 22|ListIdentities"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:discovery; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015091; rev:1; metadata:mitre_tactic_id TA0007;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-EC2] Elastic Compute Cloud Security Group Created (CreateSecurityGroup)"; program:ec2.amazonaws.com; content:"eventName|22 3a 20 22|CreateSecurityGroup"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:persistence; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015094; rev:1; metadata:mitre_tactic_id TA0002;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-EC2] Elastic Compute Cloud Ingress Rules added to Security Group (AuthorizeSecurityGroupIngress)"; program:ec2.amazonaws.com; content:"eventName|22 3a 20 22|AuthorizeSecurityGroupIngress"; content:"|22|cidrIp|22 3a 20 22|0.0.0.0/0|22|"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:persistence; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; reference:url,https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html; sid:5015095; rev:1; metadata:mitre_tactic_id TA0002;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-LAMBDA] Lambda Function Created (CreateFunction20150331)"; program:lambda.amazonaws.com; content:"eventName|22 3a 20 22|CreateFunction20150331"; parse_src_ip: 1; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; json_content: !".userIdentity.sessionContext.sessionIssuer.userName", "AWSServiceRoleForLambdaReplicator"; classtype:execution; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015096; rev:2; metadata:mitre_tactic_id TA0002;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-LAMBDA] Possible Exfiltration Attempt (GetObject) [100/60sec]"; program:s3.amazonaws.com; content:"eventName|22 3a 20 22|GetObject"; content:!"|22|bytesTransferredOut|22 3a| 0"; parse_src_ip:1; after:track by_src,count 100,seconds 60; threshold:type suppress, track by_src, count 5, seconds 86400; content: !"|22|mfaAuthenticated|22 3a 20 22|true|22|"; classtype:exfiltration; reference:url,https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/; sid:5015097; rev:1; metadata:mitre_tactic_id TA0010;)