Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
exa-content-sec committed Jan 8, 2022
1 parent d7f9618 commit 020ae3d
Show file tree
Hide file tree
Showing 27 changed files with 213 additions and 244 deletions.
3 changes: 1 addition & 2 deletions DataSources/Amazon/AWS_CloudTrail/2_ds_amazon_aws_cloudtrail.md
View file

Large diffs are not rendered by default.

17 changes: 11 additions & 6 deletions ...AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md
View file

Large diffs are not rendered by default.

15 changes: 10 additions & 5 deletions ...rces/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md
View file
Expand Up @@ -5,9 +5,14 @@ Vendor: Amazon

| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
| 4 | 1 | 2 | 9 | 9 |
| 14 | 6 | 5 | 9 | 9 |

| Event Type | Rules | Models |
| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
| account-password-change | <b>T1098 - Account Manipulation</b><br> ↳ <b>AM-UA-APLocU-F</b>: First account password change for local user | |
| app-activity | <b>T1098.002 - Account Manipulation: Exchange Email Delegate Permissions</b><br> ↳ <b>EM-InB-Ex</b>: A user has been given mailbox permissions for an executive user<br> ↳ <b>EM-InB-Perm-N-F</b>: First time a user has given mailbox permissions on another mailbox that is not their own<br> ↳ <b>EM-InB-Perm-N-A</b>: Abnormal for user to give mailbox permissions | • <b>EM-InB-Perm-N</b>: Models users who give mailbox permissions |
| Event Type | Rules | Models |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| account-password-change | <b>T1098 - Account Manipulation</b><br> ↳ <b>AM-UA-APLocU-F</b>: First account password change for local user | |
| app-activity | <b>T1098.002 - Account Manipulation: Exchange Email Delegate Permissions</b><br> ↳ <b>EM-InB-Ex</b>: A user has been given mailbox permissions for an executive user<br> ↳ <b>EM-InB-Perm-N-F</b>: First time a user has given mailbox permissions on another mailbox that is not their own<br> ↳ <b>EM-InB-Perm-N-A</b>: Abnormal for user to give mailbox permissions | • <b>EM-InB-Perm-N</b>: Models users who give mailbox permissions |
| cloud-admin-activity | <b>T1078.004 - Valid Accounts: Cloud Accounts</b><br> ↳ <b>CA-UniversalPolicy-F</b>: First time this user has created/attached a 'universal' resource/action policy<br> ↳ <b>CA-UniversalPolicy-A</b>: Abnormal for this user to create/attach a 'universal' resource/action policy<br> ↳ <b>CS-IAM-Enumeration</b>: Enumeration of Cloud account roles/users<br> ↳ <b>CS-Admin-Activty-F</b>: First time seeing this Cloud administrative operation<br><br><b>T1136.003 - Create Account: Create: Cloud Account</b><br> ↳ <b>CS-User-Creation-F</b>: First time for this user to create an account in the cloud | • <b>CS-Admin-Activity</b>: Cloud administrative activities performed by user<br> • <b>CS-User-Creation</b>: Users who create users/accounts in the cloud<br> • <b>CS-Universal-Policy</b>: Users creating universal '*' policies |
| cloud-admin-activity-failed | <b>T1078.004 - Valid Accounts: Cloud Accounts</b><br> ↳ <b>CS-IAM-Enumeration</b>: Enumeration of Cloud account roles/users<br> ↳ <b>CS-Admin-Activty-F</b>: First time seeing this Cloud administrative operation<br><br><b>T1136.003 - Create Account: Create: Cloud Account</b><br> ↳ <b>CS-User-Creation-F</b>: First time for this user to create an account in the cloud<br> ↳ <b>CS-Failed-User-Creation</b>: User attempted and failed to create a Cloud user/account | • <b>CS-Admin-Activity</b>: Cloud administrative activities performed by user<br> • <b>CS-User-Creation</b>: Users who create users/accounts in the cloud |
| storage-access | <b>T1530 - Data from Cloud Storage Object</b><br> ↳ <b>B-CS-Buckets-F</b>: First cloud storage/bucket in the organization | • <b>B-CS-Buckets</b>: Buckets seen in the organization |
| storage-activity | <b>T1136.003 - Create Account: Create: Cloud Account</b><br> ↳ <b>CS-Bucket-C-D-F</b>: Cloud Storage bucket/storage container creation/deletion for the first time<br> ↳ <b>CS-Bucket-Created</b>: Cloud storage bucket/storage container creation<br><br><b>T1530 - Data from Cloud Storage Object</b><br> ↳ <b>B-CS-Buckets-F</b>: First cloud storage/bucket in the organization<br> ↳ <b>CS-S3-Enumeration</b>: Cloud Storage container/bucket enumeration | • <b>CS-Bucket-C-D</b>: Users who create or delete storage containers<br> • <b>B-CS-Buckets</b>: Buckets seen in the organization |
| storage-activity-failed | <b>T1136.003 - Create Account: Create: Cloud Account</b><br> ↳ <b>CS-Bucket-C-D-F</b>: Cloud Storage bucket/storage container creation/deletion for the first time<br> ↳ <b>CS-Bucket-Created</b>: Cloud storage bucket/storage container creation<br><br><b>T1530 - Data from Cloud Storage Object</b><br> ↳ <b>B-CS-Buckets-F</b>: First cloud storage/bucket in the organization<br> ↳ <b>CS-S3-Enumeration</b>: Cloud Storage container/bucket enumeration | • <b>CS-Bucket-C-D</b>: Users who create or delete storage containers<br> • <b>B-CS-Buckets</b>: Buckets seen in the organization |

0 comments on commit 020ae3d

Please sign in to comment.