Product
AWS IAM CompromisedKeyQuarantine Policy Attachment
2 rules 2 TTPsDetection of the AWS `CompromisedKeyQuarantine` policy being attached to an IAM user, indicating that AWS has flagged the user's credentials as compromised or publicly exposed, and is providing instructions via a support case for remediation.
AWS KMS Key User Performing S3 Encryption Detection
2 rules 1 TTPDetection of AWS users utilizing KMS keys to perform encryption operations on S3 buckets, indicating potential misuse or malicious activity within the cloud environment.
AWS IAM API Calls via Temporary Session Tokens
3 rules 2 TTPsDetection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.
AWS IAM Group Creation for Persistence
2 rules 1 TTPAn adversary with compromised IAM write privileges creates a new group in AWS IAM and grants it excessive permissions to establish a persistence mechanism.
AWS Management Console Root Login Detected
2 rules 2 TTPsDetection of a successful AWS Management Console login by the Root user, which is an original identity with unrestricted privileges, indicates a potential security breach requiring immediate investigation.