Created
November 20, 2021 20:09
-
-
Save remotephone/6024f564c0173fce7c67f107ffbb117c to your computer and use it in GitHub Desktop.
detection_eng_cloudtrail_rule
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Detects Backdooring EC2 Security Groups | |
| status: experimental | |
| description: Detects the insertion of backdoor access into EC2 Security Groups. | |
| author: '@DefensiveDepth' | |
| date: 2021/01/01 | |
| logsource: | |
| service: cloudtrail | |
| detection: | |
| selection_source: | |
| - eventSource: ec2.amazonaws.com | |
| event_type: | |
| - eventName: | |
| - AuthorizeSecurityGroupIngress | |
| known_good_ips: | |
| sourceIPAddress: | |
| - 107.14.3.10 | |
| - 107.14.3.11 | |
| - 107.14.3.12 | |
| known_good_uas: | |
| userAgent|contains: | |
| - "IntAuto" | |
| condition: selection_source and event_type and not (1 of known_good*) | |
| falsepositives: | |
| - Valid change to EC2 Security Group | |
| level: high |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment