![]() Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.Īn attempt was made to modify AWS EC2 snapshot attributes. Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.ĪWS EC2 Network Access Control List Deletion This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.ĪWS EC2 Network Access Control List Creation Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Disabling encryption by default does not change the encryption status of your existing volumes.ĪWS EC2 Full Network Packet Capture Detected Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. ![]() Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment. This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Identifies an AWS configuration change to stop recording a designated set of resources.ĪWS Credentials Searched For Inside A Container An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. Identifies attempts to delete an AWS Config Service resource. Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. Identifies the deletion of a specified AWS CloudWatch log group. An adversary may delete alarms in an attempt to evade defenses. Identifies the deletion of an AWS CloudWatch alarm. ![]() Identifies an update to an AWS log trail setting that specifies the delivery of log files. An adversary may suspend trails in an attempt to evade defenses. Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may delete trails in an attempt to evade defenses. Identifies the deletion of an AWS log trail. Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. Indicates the creation of a scheduled task using Windows event logs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |