spasam/sentinel-hunting-queries.csv

## sentinel-hunting-queries.csv

          
            Rule
            Red team bypass

            
              Excessive Execution of Discovery Events
              Send User Agent HTTP header with aws-cli in it to bypass this

            
              Failed Brute Force S3 Bucket
              Use HeadObject instead of GetObject to brute force

            
              IAM Access Denied Discovery Events
              Send User Agent HTTP header that ends with .amazonaws.com to bypass this

            
              IAM Policy Change
              Checks for AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreatePolicy, DeleteGroupPolicy, DeletePolicy, DeleteRolePolicy, DeleteUserPolicy, DetachGroupPolicy, PutUserPolicy, PutGroupPolicy, CreatePolicyVersion, DeletePolicyVersion, DetachRolePolicy, CreatePolicy. But what about DetachUserPolicy, PutRolePolicy, DeleteRolePermissionsBoundary, DeleteUserPermissionsBoundary, SetDefaultPolicyVersion, UpdateAssumeRolePolicy, etc. that also have similar impact?

            
              Modification of Route Table Attributes
               Check for CreateRoute, DeleteRoute, ReplaceRoute API calls. But what about associating or disassociating route tables with subnets? Also, doesn’t cover Transit Gateway route table related APIs

            
              Network ACL Deleted
              Only checks for DeleteNetworkAclEntry. Attacker could also add an entry at the top of the NACL entry list to gain access to the resources

            
              Risky Role Name
              Seems to be copied from RhinoSecurity Pacu. No idea why these words are risky! That said, since this is public domain, avoiding these words in role name will bypass this check

            
              STS to EC2
              When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes or Amazon ECS Agent to bypass this check

            
              STS to ECS
              When using STS credentials from EC2, Use User Agent HTTP header that starts with Amazon ECS Agent to bypass this check

            
              STS to KWN
              When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes to bypass this check
	Rule	Red team bypass
	Excessive Execution of Discovery Events	Send User Agent HTTP header with aws-cli in it to bypass this
	Failed Brute Force S3 Bucket	Use HeadObject instead of GetObject to brute force
	IAM Access Denied Discovery Events	Send User Agent HTTP header that ends with .amazonaws.com to bypass this
	IAM Policy Change	Checks for AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreatePolicy, DeleteGroupPolicy, DeletePolicy, DeleteRolePolicy, DeleteUserPolicy, DetachGroupPolicy, PutUserPolicy, PutGroupPolicy, CreatePolicyVersion, DeletePolicyVersion, DetachRolePolicy, CreatePolicy. But what about DetachUserPolicy, PutRolePolicy, DeleteRolePermissionsBoundary, DeleteUserPermissionsBoundary, SetDefaultPolicyVersion, UpdateAssumeRolePolicy, etc. that also have similar impact?
	Modification of Route Table Attributes	Check for CreateRoute, DeleteRoute, ReplaceRoute API calls. But what about associating or disassociating route tables with subnets? Also, doesn’t cover Transit Gateway route table related APIs
	Network ACL Deleted	Only checks for DeleteNetworkAclEntry. Attacker could also add an entry at the top of the NACL entry list to gain access to the resources
	Risky Role Name	Seems to be copied from RhinoSecurity Pacu. No idea why these words are risky! That said, since this is public domain, avoiding these words in role name will bypass this check
	STS to EC2	When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes or Amazon ECS Agent to bypass this check
	STS to ECS	When using STS credentials from EC2, Use User Agent HTTP header that starts with Amazon ECS Agent to bypass this check
	STS to KWN	When using STS credentials from EC2, Use User Agent HTTP header that starts with kubernetes to bypass this check