LoFP LoFP / verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suspicious commands from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

AWS IAM Assume Role Policy Update

Description

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Detection logic

event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

AWS IAM Assume Role Policy Update

Description

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Detection logic

event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success

AWS VPC Flow Logs Deletion

Description

Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

AWS IAM Assume Role Policy Update

Description

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Detection logic

event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Sample rules

AWS Execution via System Manager

Description

Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success

AWS CloudWatch Alarm Deletion

Description

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

AWS Configuration Recorder Stopped

Description

Identifies an AWS configuration change to stop recording a designated set of resources.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success

AWS CloudWatch Log Group Deletion

Description

Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.

Detection logic

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success

AWS IAM Assume Role Policy Update

Description

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Detection logic

event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success

AWS VPC Flow Logs Deletion

Description

Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success

Azure Keyvault Secrets Modified or Deleted

Description

Identifies when secrets are modified or deleted in Azure.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION

Azure Service Principal Created

Description

Identifies when a service principal is created in Azure.

Detection logic

condition: selection
selection:
  properties.message: Add service principal

Azure Application Security Group Modified or Deleted

Description

Identifies when a application security group is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
  - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE

Azure Service Principal Removed

Description

Identifies when a service principal was removed in Azure.

Detection logic

condition: selection
selection:
  properties.message: Remove service principal

Azure Application Deleted

Description

Identifies when a application is deleted in Azure.

Detection logic

condition: selection
selection:
  properties.message:
  - Delete application
  - Hard Delete application

Azure Suppression Rule Created

Description

Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.

Detection logic

condition: selection
selection:
  operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE

Azure Keyvault Key Modified or Deleted

Description

Identifies when a Keyvault Key is modified or deleted in Azure.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION

Azure Application Gateway Modified or Deleted

Description

Identifies when a application gateway is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
  - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE

Azure Application Credential Modified

Description

Identifies when a application credential is modified.

Detection logic

condition: selection
selection:
  properties.message: Update application - Certificates and secrets management

Azure Device or Configuration Modified or Deleted

Description

Identifies when a device or device configuration in azure is modified or deleted.

Detection logic

condition: selection
selection:
  properties.message:
  - Delete device
  - Delete device configuration
  - Update device
  - Update device configuration

Azure Key Vault Modified or Deleted

Description

Identifies when a key vault is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE

Azure Owner Removed From Application or Service Principal

Description

Identifies when a owner is was removed from a application or service principal in Azure.

Detection logic

condition: selection
selection:
  properties.message:
  - Remove owner from service principal
  - Remove owner from application

CA Policy Updated by Non Approved Actor

Description

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare “old” vs “new” value.

Detection logic

condition: keywords
keywords:
- Update conditional access policy

CA Policy Removed by Non Approved Actor

Description

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Detection logic

condition: selection
selection:
  properties.message: Delete conditional access policy

Azure Domain Federation Settings Modified

Description

Identifies when an user or application modified the federation settings on the domain.

Detection logic

condition: selection
selection:
  ActivityDisplayName: Set federation settings on domain

New CA Policy by Non-approved Actor

Description

Monitor and alert on conditional access changes.

Detection logic

condition: selection
selection:
  properties.message: Add conditional access policy

AWS EKS Cluster Created or Deleted

Description

Identifies when an EKS cluster is created or deleted.

Detection logic

condition: selection
selection:
  eventName:
  - CreateCluster
  - DeleteCluster
  eventSource: eks.amazonaws.com

Okta Policy Modified or Deleted

Description

Detects when an Okta policy is modified or deleted.

Detection logic

condition: selection
selection:
  eventtype:
  - policy.lifecycle.update
  - policy.lifecycle.delete

Google Cloud VPN Tunnel Modified or Deleted

Description

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - compute.vpnTunnels.insert
  - compute.vpnTunnels.delete

Google Cloud SQL Database Modified or Deleted

Description

Detect when a Cloud SQL DB has been modified or deleted.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - cloudsql.instances.create
  - cloudsql.instances.delete
  - cloudsql.users.update
  - cloudsql.users.delete

Suspicious Driver Install by pnputil.exe

Description

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - -i
  - /install
  - -a
  - /add-driver
  - '.inf'
  Image|endswith: \pnputil.exe

LOLBAS Data Exfiltration by DataSvcUtil.exe

Description

Detects when a user performs data exfiltration by using DataSvcUtil.exe

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains:
  - '/in:'
  - '/out:'
  - '/uri:'
selection_img:
- Image|endswith: \DataSvcUtil.exe
- OriginalFileName: DataSvcUtil.exe