aws-cis-benchmark-iam-policy-change Scenario

« aws-cis-benchmark-iam-policy-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1098confidence:3

Detect AWS IAM policy change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-iam-policy-change

Description

Detects AWS IAM policy changes (Section 4.4 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-iam-policy-change
3description: "Detect AWS IAM policy change"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' &&
6  (
7    evt.Meta.event_name == "DeleteGroupPolicy" ||
8    evt.Meta.event_name == "DeleteRolePolicy" ||
9    evt.Meta.event_name == "DeleteUserPolicy" ||
10    evt.Meta.event_name == "PutGroupPolicy" ||
11    evt.Meta.event_name == "PutRolePolicy" ||
12    evt.Meta.event_name == "PutUserPolicy" ||
13    evt.Meta.event_name == "CreatePolicy" ||
14    evt.Meta.event_name == "DeletePolicy" ||
15    evt.Meta.event_name == "CreatePolicyVersion" ||
16    evt.Meta.event_name == "DeletePolicyVersion" ||
17    evt.Meta.event_name == "AttachRolePolicy" ||
18    evt.Meta.event_name == "DetachRolePolicy" ||
19    evt.Meta.event_name == "AttachUserPolicy" ||
20    evt.Meta.event_name == "DetachUserPolicy" ||
21    evt.Meta.event_name == "AttachGroupPolicy" ||
22    evt.Meta.event_name == "DetachGroupPolicy"
23  )
24labels:
25  confidence: 3
26  spoofable: 0
27  classification:
28    - attack.T1098.003
29  behavior: "cloud:audit"
30  label: "AWS IAM persistent access"
31  service: aws
32  cti: false
33  remediation: false
34

Hub configuration

« aws-cis-benchmark-iam-policy-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1098confidence:3

« aws-cis-benchmark-iam-policy-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1098confidence:3