Created
February 8, 2023 19:00
-
-
Save spasam/f0de46631ec4b45094a8721bdfe9d478 to your computer and use it in GitHub Desktop.
Microsoft Azure Sentinel - Hunting Queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rule | Red team bypass | |
---|---|---|
Excessive Execution of Discovery Events | Send User Agent HTTP header with aws-cli in it to bypass this | |
Failed Brute Force S3 Bucket | Use HeadObject instead of GetObject to brute force | |
IAM Access Denied Discovery Events | Send User Agent HTTP header that ends with .amazonaws.com to bypass this | |
IAM Policy Change | Checks for AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreatePolicy, DeleteGroupPolicy, DeletePolicy, DeleteRolePolicy, DeleteUserPolicy, DetachGroupPolicy, PutUserPolicy, PutGroupPolicy, CreatePolicyVersion, DeletePolicyVersion, DetachRolePolicy, CreatePolicy. But what about DetachUserPolicy, PutRolePolicy, DeleteRolePermissionsBoundary, DeleteUserPermissionsBoundary, SetDefaultPolicyVersion, UpdateAssumeRolePolicy, etc. that also have similar impact? | |
Modification of Route Table Attributes | Check for CreateRoute, DeleteRoute, ReplaceRoute API calls. But what about associating or disassociating route tables with subnets? Also, doesn’t cover Transit Gateway route table related APIs | |
Network ACL Deleted | Only checks for DeleteNetworkAclEntry. Attacker could also add an entry at the top of the NACL entry list to gain access to the resources | |
Risky Role Name | Seems to be copied from RhinoSecurity Pacu. No idea why these words are risky! That said, since this is public domain, avoiding these words in role name will bypass this check | |
STS to EC2 | When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes or Amazon ECS Agent to bypass this check | |
STS to ECS | When using STS credentials from EC2, Use User Agent HTTP header that starts with Amazon ECS Agent to bypass this check | |
STS to KWN | When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes to bypass this check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment