Product
AWS STS AssumeRole with New MFA Device
2 rules 4 TTPsThis rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.
AWS STS Role Chaining for Privilege Escalation and Persistence
2 rules 3 TTPsAWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.
AWS CreateLoginProfile Activity Detection
2 rules 2 TTPsDetects the creation of AWS IAM login profiles, which can be indicative of new user creation or modifications by potentially malicious actors for privilege escalation or persistence.
AWS SAML Identity Provider Modification
2 rules 1 TTPAn adversary may attempt to modify the AWS SAML Identity Provider configuration to potentially escalate privileges or disrupt federated access.
AWS KMS Key User Performing S3 Encryption
2 rules 1 TTPDetection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.
AWS IAM Group Deletion Failure
2 rules 1 TTPDetection of a failed attempt to delete an AWS IAM group, which could indicate an attempt to remove audit trails or disrupt security policies.
AWS IAM User Creates Access Keys For Another User
2 rules 2 TTPsAn adversary with access to compromised AWS credentials may attempt to persist or escalate privileges by creating a new set of access keys for an existing IAM user, potentially leading to unauthorized access to resources and data.
AWS Virtual MFA Device Registration Attempt
2 rules 1 TTPAn adversary attempts to register a virtual MFA device to an AWS account, potentially leading to account takeover and unauthorized access to resources.
AWS SAML Identity Provider Update Detection
2 rules 1 TTPDetection of unauthorized updates to AWS SAML identity providers using CloudTrail logs, potentially indicating compromised federated credentials and unauthorized access.
AWS User Login Profile Update by Different User
2 rules 1 TTPA user updating the login profile of another user in AWS CloudTrail logs may indicate privilege escalation attempts.
AWS Multi-Factor Authentication Disabled
2 rules 3 TTPsDetection of AWS Multi-Factor Authentication (MFA) being disabled for an IAM user, indicating potential weakening of account security and persistence attempts.
AWS Login Profile Creation Activity
2 rules 2 TTPsMonitoring AWS login profile creation events can help identify potentially malicious user or role creation activities within an AWS environment.
AWS IAM Policy Version Created Allowing Access to All Resources
2 rules 1 TTPAn AWS IAM policy version allowing access to all resources has been created, potentially leading to privilege escalation and unauthorized actions.
AWS IAM Policy Default Version Manipulation
2 rules 2 TTPsAn adversary may set a default policy version in AWS IAM to potentially escalate privileges, especially if previous policy versions granted broader permissions, leading to unauthorized access and data breaches.
AWS IAM MFA Device Deactivation
2 rules 3 TTPsDetection of AWS IAM MFA device deactivation via the `DeactivateMFADevice` API call, which could indicate an attempt to weaken account protections for privilege escalation or persistence.
AWS IAM Default Policy Version Modification
2 rules 1 TTPAn adversary modifies the default version of an AWS IAM policy, potentially downgrading security or disrupting access control.
AWS Account Console Login Without MFA
2 rules 2 TTPsDetection of successful AWS console login events without multi-factor authentication (MFA) enabled, potentially indicating misconfiguration, policy violation, or account compromise.
AWS Account Compromise via New MFA Registration
2 rules 2 TTPsAn adversary may register a new Multi-Factor Authentication (MFA) method for an AWS account using the `CreateVirtualMFADevice` event in AWS CloudTrail logs to maintain persistence and evade detection in a compromised AWS account.
Detection of Public AWS S3 Bucket Creation via CLI
2 rules 1 TTPAn AWS user creates a publicly accessible S3 bucket by using the AWS CLI to set permissive ACLs, potentially leading to unauthorized data access and data breaches.