cscli scenarios install crowdsecurity/aws-cloudtrail-postexploitThese scenarios need the crowdsecurity/aws-cloudtrail parser and detect API calls known for being used for enumeration after a compromission. Those scenarios triggering can be an indication of compromission. There're two scenarios here, and one is a bit more noisy, meant to be used in environment where security standard are meant to be high.
1type: conditional2name: crowdsecurity/aws-cloudtrail-postexploit3description: "postexploitation detection (noisy)"4#debug: true5capacity: -16leakspeed: 1m7distinct: evt.Meta.event_name8filter: evt.Meta.log_type == 'aws-cloudtrail'9condition: |10 count(queue.Queue, #.Meta.event_name in ["ListUserPolicies", "ListPolicies", "ListBuckets", "ListApplications", "DescribeInstances", "GetCallerIdentity", "GetFunctions", "DescribeAccountAttributes", "ListResources"] or #.Meta.event_name startsWith "ListFunctions") > 211blackhole: 1m12reprocess: true13groupby: evt.Meta.source_ip14scope:15 type: AwsARN16 expression: evt.Meta.user_arn17labels:18 confidence: 319 spoofable: 020 classification:21 - attack.T108722 - attack.T152623 behavior: "cloud:audit"24 label: "AWS post-exploitation detection"25 service: aws26 cti: false27 remediation: false28