Created
February 8, 2023 18:56
-
-
Save spasam/e6e2702bbb3679988d15e8f8a3db9f01 to your computer and use it in GitHub Desktop.
Microsoft Azure Sentinel - Analytical Rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rule | Red team bypass | |
---|---|---|
Change To RDS Database | Covers RDS, but where are the checks for Redshift, Elasticache, etc.? | |
Change To VPC | Only checks for CreateNetworkAclEntry, CreateRoute, CreateRouteTable, CreateInternetGateway, CreateNatGateway API calls. There are many more APIs that can be used to make changes to a VPC: Peering, Transit Gateway, etc. | |
Clear Stop Change Trail Logs | Checks for UpdateTrail, DeleteTrail, StopLogging, DeleteFlowLogs, DeleteEventBus. What about DeleteQueryLoggingConfig or DeleteLogGroup? | |
Created CRUD DynamoDB Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created CRUD IAM to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created CRUD KMS Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created CRUD S3 Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created CRUD Lambda Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created CloudFormation Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created DataPipeline Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created EC2 Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created Glue Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created Lambda Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Created SSM Policy to Privilege Escalation | Can use wildcard in policy Actions to bypass | |
Creation Of Encrypt Keys Without MFA | Can use wildcard in policy Actions to bypass | |
Credential Hijack | Checks for GetCallerIdentity. There are numerous other APIs that can be used to get the caller identity details | |
Ingress/Egress SecurityGroup Change | Like I mentioned for RDS Security Group check, there are many other security group operations that are missing | |
Log Tampering | Isn’t this same as Clear Stop Change Trail Logs? Also missing DeleteQueryLoggingConfig | |
Network ACL Open To All Ports | Checks for CreateNetworkAclEntry and ReplaceNetworkAclEntry. What about deleting an ACL entry using DeleteNetworkAclEntry? Especially ones that denies traffic on a port | |
Overly Permissive KMS | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via CRUD IAM Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via CRUD KMS Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via CRUD Lambda Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via CRUD S3 Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via CloudFormation Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via DataPipeline | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via EC2 Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via Glue Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via Lambda Policy | Can use wildcard in policy Actions to bypass | |
Privilege Escalation Via SSM | Can use wildcard in policy Actions to bypass | |
Privilege Escalation via CRUD DynamoDB | Can use wildcard in policy Actions to bypass | |
S3 Brute Force | Brute force attempts using S3 GetObject. What if the caller uses HeadObject? | |
S3 Bucket Access Point Exposed | This can be easily bypassed if a bogus condition that always evaluates to true is used in the policy | |
S3 Bucket Exposed via Policy | This can be easily bypassed if a bogus condition that always evaluates to true is used in the policy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment