aws-cis-benchmark-root-usage Scenario

« aws-cis-benchmark-root-usage »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1078MITRE:T1098confidence:3

Detect AWS root account usage

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-root-usage

Description

Detects usage of the AWS root account based on cloutrail logs (Section 1.7 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-root-usage
3description: "Detect AWS root account usage"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' &&
6  evt.Unmarshaled.cloudtrail.userIdentity.type == "Root" &&
7  evt.Unmarshaled.cloudtrail.userIdentity.invokedBy == nil &&
8  evt.Unmarshaled.cloudtrail.eventType != "AwsServiceEvent"
9labels:
10  confidence: 3
11  spoofable: 0
12  classification:
13    - attack.T1078
14    - attack.T1098
15  behavior: "cloud:unusual-activity"
16  label: "AWS root account usage"
17  service: aws
18  cti: false
19  remediation: false
20

Hub configuration

« aws-cis-benchmark-root-usage »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1078MITRE:T1098confidence:3

« aws-cis-benchmark-root-usage »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1078MITRE:T1098confidence:3