AWS Compromise Assessment compiles the events and Indicator of Compromise (IoC) from CloudTrail Logs after an incident has occurred or appears to be compromised. It will assist in obtaining complete critical event data and making it easier for threat hunters for future forensics.
| Component | README |
|---|---|
| python version > 3.6 | Must be pre-installed in computer in order to run the compromise assessment script |
| Configure AWS SDK | Using AWS CLI you have to configure the AWS SDK |
| Operating system | Windows or Ubuntu/Linux |
| CPU | Core 2 CPU or more |
| Memory | 4 GB RAM |
- Scrpit will show
50000record of cloudtrail logs by default or if you want to customize it you can give-record_limitargument to the command. - Script will show cloudtrail logs according to
daysargument (60or90) in the command line default is90or you can give your days using-dayscommand line argument. - Script will also gives you a cloudtrail logs based on AWS services using the argument called
-service_name. - Script will shows the logs in the tabular format.
- Log table provide pagination functionality for traverse throught the logs.
- Log table also provide a functionality for searching a logs according to event category.
- Script will show you the
Analytic (statastical)table. - Script will display the
histogramandpie chartaccording to analytic table.
Python for Windows
https://www.digitalocean.com/community/tutorials/install-python-windows-10Python for Ubuntu/Linux
https://www.makeuseof.com/install-python-ubuntu/Install AWS CLI from the link given below
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.htmlRun the following command and provide your aws credentials to setup the AWS ADK on your system.
aws configureOpen the command prompt or terminal on your system then reach to project directory and run the following command
pip3 install -r requirements.txthttps://github.com/Infopercept/compromise-assessmentIf you are
Windowsuser then usepythonfor running the script.
or
If you are
Ubunt/Linux/MacOsuser then usepython3for runnig the script.
Type the following command
python3 compromise-assessment.py -hor
python3 compromise-assessment.py --helpResult
- You can use this arguments to make user specific choices and arguments optionals are
days,record_limit, andservice_name. - Commands you can use:
| Command | Description |
|---|---|
| python3 compromise-assessment.py | This command gives you the 90 days cloudtrail records as default it takes 90 days,it will take all services and it will return 5000 record by default. |
| python3 compromise-assessment.py -days 60 | This command gives you the 60 days cloudtrail records, it will take all services and it will return 5000 record by default. |
| python3 compromise-assessment.py -days 90 | This command gives you the 90 days cloudtrail records, it will take all services and it will return 5000 record by default. |
| python3 compromise-assessment.py -record_limit 1000 | This command gives you the 90 days cloudtrail records as default, it will take all services and it will return 1000 record. |
| python3 compromise-assessment.py -service_name s3 | This command gives you the 90 days cloudtrail records as default, it will take S3 services and it will return 5000 record. |
| python3 compromise-assessment.py -days 60 -service_name iam | This command gives you the 60 days cloudtrail records, it will take IAM services and it will return 5000 record. |
| python3 compromise-assessment.py -days 70 -record_limit 5000 -service_name lambda | This command gives you the 70 days cloudtrail records, it will take LAMBDA services and it will return 5000 record. |
Licensed under the (https://www.infopercept.com/) License, Version 3.0. Copyright 2022 Infopercept. Copy of the license.
 Bhavik Prajapati 💻 |
👤 Bhavik Prajapati
- Github: @BhavikDevInfopercept