Skip to content

Instantly share code, notes, and snippets.

@remotephone
Created November 20, 2021 20:09
Show Gist options
  • Save remotephone/6024f564c0173fce7c67f107ffbb117c to your computer and use it in GitHub Desktop.
Save remotephone/6024f564c0173fce7c67f107ffbb117c to your computer and use it in GitHub Desktop.
detection_eng_cloudtrail_rule
title: Detects Backdooring EC2 Security Groups
status: experimental
description: Detects the insertion of backdoor access into EC2 Security Groups.
author: '@DefensiveDepth'
date: 2021/01/01
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
event_type:
- eventName:
- AuthorizeSecurityGroupIngress
known_good_ips:
sourceIPAddress:
- 107.14.3.10
- 107.14.3.11
- 107.14.3.12
known_good_uas:

userAgent|contains:
- "IntAuto"
condition: selection_source and event_type and not (1 of known_good*)
falsepositives:
- Valid change to EC2 Security Group
level: high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment