An internet gateway is a horizontally VPC component that allows communication between your VPC and the internet. When unknown activity is detected involving an Internet Gateway, an investigation is advised to rule out the possibility of an attack. Impact A creation or modification of an internet gateway where it doesn't exist can indicate an attacker trying to create an outbound connection to a C2 server or any other internet facing malicious activities. Mitigation Inspect the changes or creation and make sure it's authorized. Remove or revert changes if it is not. MITRE Tactic: TA0005 MITRE Technique: T1562

AWS best practices for privilege delegation are by using Group Policies. If your organization adhere to AWS best practices, an attachment of a policy to user requires further examination. Impact Privilege escalation can allow an attack to commit malicious actions in your network in many ways. Mitigation Review if this user should have been given these privileges, remove/revoke if not. If the action was not authorized, Investigate the user further to determine if he was compromised. MITRE Tactic: TA0004 MITRE Technique: T1078

CloudTrail helps to enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail and should be viewed and approved. Impact Unauthorized changes to Cloudtrail configuration can indicate a malicious action and influence the way logs are being processed and logged. Mitigation Cloudtrail configuration shouldn't change too much after being defined. Review the user who made the changes and approve that the changes are legitimate. If malicious activity is suspected, revert changes and investigate the user who made the changes and surrounding actions by that user to further determine the impact. MITRE Tactic: TA0005 MITRE Technique: T1562

In a production environment, directly executing a command in a container is often considered a risky practice from a security perspective. Impact If an unauthorized user is running commands inside an ECS container this could indicate malicious activity. Mitigation Review the command and the user who ran it. See if any other commands have been run. If it seems suspicious or malicious in nature, block the user/revoke permissions and investigate further. MITRE Tactic: TA0001 MITRE Technique: T1078

AWS Security Hub helps manage the cloud security posture by performing security best practice checks, aggregates alerts, and enables automated remediation. Impact Disabling AWS security hub is a malicious behaviour as in 99.9% there is no reason to disable security controls which are already in place. Mitigation Enable security hub and investigate who was the user who performed the action and why. Block and isolate as needed. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

The root account is the most important user in the account. as a security best practice, it is advised to keep the use of the root account to the bare minimum and only when it is needed. Impact The use of the root account is considered a highly irregular event and which can therefore indicate a suspicious or malicious activity. Mitigation Review the specific commands that the user performed and decide their nature. Consult the account owner regarding this usage. As a best practice, avoid using the root account and instead delegate permissions to IAM user or assign them role with pre existing permissions. MITRE Tactic: TA0004 MITRE Technique: T1078

GuardDuty detectors are deployed per region to monitor activity in each region. Impact Deletion of a GuardDuty detector can indicate an attacker removing GuardDuty from specific regions to hide malicious activity. Mitigation Investigate the removal of GuardDuty detector, if the activity wasn't authorized, revert changes and further investigate the user that made the changes for any other malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

An Amazon Machine Image (AMI) provides the information required to launch an instance and can be used to launch multiple instances from a single AMI with the same configuration. when creating an AMI from an EC2 instance, that AMI will contain all settings and applications that were installed on that EC2 instance. Impact When AMI is made public, it could potentially be used by an unwanted source to create a duplicate EC2 instance with the same data and configurations that the original EC2 instance had, thus exposing internal systems information and configuration (or worse) to the world. Mitigation Investigate why did the AMI was made public. Remove access if it wasn't necessary, investigate further if there malicious activity is suspected (and not just a misconfiguration). MITRE Tactic: TA0001 MITRE Technique: T1190

Flow Logs are an AWS feature that logs all network activity in a VPC. Impact Deletion of FlowLogs can be considered a malicious action by an attacker to hide their activity in the network. Therefore FlowLogs deletion should be investigate and validated that the action was intentional. Mitigation Investigate who and why was the FlowLogs deleted, further investigate if there suspicion for malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 008

The root account is the most important user in the account. as a security best practice, it is advised to keep the use of the root account to the bare minimum and only when it is needed. unauthorized use of the root account is considered a highly irregular event and should be investigated. Impact It is a security best practice to always use Multi-Factor Authentication (especially) in the Root account. a successful root account login should be addressed immediately and it can perform any action on AWS. Mitigation Investigate the activity, revoke permissions as needed, enabled MFA. Consider contacting AWS if an attacker already performed malicious activities in the account. MITRE Tactic: TA0004 MITRE Technique: T1078

When an organization is active in certain regions, it is important to know when activity is detected in other regions. if an environment is compromised, a threat actor may use less active or non-active regions to avoid detection. Impact New region activity can indicate malicious activity by a threat actor and incur costs in cloud resources. Mitigation Use IAM to control access to different regions and disable access to unused regions. MITRE Tactic: TA0001 MITRE Technique: T1078 MITRE Sub-Technique: 004

It is a security best practice to always use Multi-Factor Authentication in all accounts in your environment to prevent unauthorized users or systems from accessing resources in the AWS account. Impact Not using MFA can expose you systems to credential theft and brute force attacks by automated tools and generally lower the security level of any internet facing system. Mitigation Enable MFA as a mandatory policy on every AWS user. MITRE Tactic: TA0004 MITRE Technique: T1078

A transfer of an Elastic IP (EIP) address to other AWS accounts has been enabled. Impact An adversary can enabled the transfer of EIP addresses and then transfer them to an attacker controlled account. This can allow an attacker to use a company allocated IP address to host his own malicious site and still be considered trusted as the IP belongs to the organization. For more details on this attack vector, see the following article: https://www.mitiga.io/blog/elastic-ip-hijacking-a-new-attack-vector-in-aws Mitigation Verify that the action was intended and authorized. As this alert only detect the enablement of the policy, verify if the IP was already transferred or not, as a transferred IP will be removed from the account list and be added to the destination account. No further indication will be given when an IP has been transferred. To know the status of the transfer, you can call the DescribeAddressTransfers EC2 service API, which will show you all the transfers and their status. If the IP wasn't transferred, consider disabling the transfer, if it was, investigate further and if there is any suspicion for malicious activity, consider blacklisting this IP or contact AWS for further details.

This rule detects if an SSO role has been modified. SSO allows users to sign in to multiple AWS accounts and business applications using a single set of credentials. Impact An adversary could modify an SSO role to grant themselves or other unauthorized users access to AWS resources and services. He could also modify an SSO role to allow access to sensitive data, which could be exfiltrated from the AWS environment. Mitigation To mitigate the impact of SSO modifications by an adversary, it is recommended to limit permissions of SSO roles to only what is necessary for their intended use and Regularly review and audit SSO roles and permissions to detect and prevent unauthorized modifications. MITRE Tactic: TA0005 MITRE Technique: T1562

This rule detects if a "Service Control Policy" (SCP) has been modified. SCP allows administrators to define fine-grained permissions for the AWS accounts and services within an AWS organization. SCPs are applied at the root level of the organization and are used to enforce restrictions and compliance requirements across all member accounts. Impact The impact of SCP modification by an adversary in AWS depends on the specific changes made to the policy. For example, an attacker may modify an SCP to grant themselves or a compromised account additional permissions, giving them access to sensitive data or critical resources. Alternatively, an attacker may modify an SCP to deny permissions to legitimate users, causing system downtime or data loss. Mitigation To mitigate the risk of SCP modification by an adversary in AWS, implement the principle of least privilege that is grant only the necessary permissions to users and resources to perform their tasks, and avoid granting broad permissions that could be exploited by an attacker. MITRE Tactic: TA0005 MITRE Technique: T1562

This rule detects if a scheduled key deletion has been modified. A scheduled key deletion is a process by which keys are permanently deleted after a specified waiting period. This waiting period is a safeguard against accidental deletion and gives you time to recover the key if necessary. Impact If an adversary is able to modify the scheduled key deletion of an AWS KMS (Key Management Service), they may be able to extend the life of the key beyond the intended expiration date. This could potentially allow the adversary to continue to access data that is encrypted under the key, even after it was supposed to have been deleted. Mitigation To mitigate the risk of scheduled key deletion modification by an adversary, it is important to closely monitor AWS CloudTrail logs for any unauthorized changes to scheduled key deletion dates. Additionally, you can implement appropriate security controls, such as using multi-factor authentication (MFA) to restrict access to AWS KMS and ensuring that only authorized personnel have permissions to modify key schedules. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers when an AWS CloudTrail trail has stopped logging events. AWS CloudTrail is the mechanism that logs every activity in the AWS environment and give the visibility into what actions were taken in the platform. Impact When logging is stopped it makes identifying malicious actor almost impossible as no data of their activity is shipped. Mitigation Validate the reason for this activity, if needed further investigate according to company policies. Re-enable CloudTrail logging. MITRE Tactic: TA0005 MITRE Technique: T1562

WAF (web application firewall) is a system to allow/block access to web applications from certain locations by unsecured methods. Impact Unauthorized WAF control changes could indicate attacker activity and the exposing of customer applications to attacks. Changes to the AWS WAF ACLs should be reviewed and validated. Any unauthorized actions should be investigated. Mitigation Investigate what was the ACL change - what was denied or allowed and decide if it was a legitimate or malicious activity. Revert changes if needed and investigate further. MITRE Tactic: TA0003 MITRE Technique: T1098

Changing WAF rules can allow/deny access to web applications or the internal network. Rules changes should only be done by authorized personnel. Changes to rules should be investigated and validated by security staff. Impact Rule changes can allow attacks to access your network or allow C2 communication outside. Mitigation Review changes and decide if they are authorized. If not, investigate further to what are they allowing/disallowing, who is the user who made the changes and if he was allowed to do so, revert changes as needed. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-technique: 004

This alert triggers when CloudTrail trails are deleted. CloudTrail helps to enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail and should be viewed and approved. Impact Attempting to delete trails may be an indication of malicious activities. In order to avoid logging or detection of their actions, attackers who have entered the AWS environment might try to delete trails they can use to cover their tracks. Mitigation If the trail is deleted, check if the action was known and legitimate. If not, investigate further for any other malicious activities. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers when the AWS Identity Center (FKA AWS SSO) identity provider is changed. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. Impact 1. User Impersonation An attacker gains access to an administrator's credentials and changes the Identity Provider (IdP) to one they control. They then impersonate the administrator and grant themselves unauthorized access or privileges. 2. Man-in-the-Middle (MitM) Attack An attacker intercepts authentication traffic between users and the new IdP, capturing credentials and gaining access to users' accounts. 3. Misconfiguration Accidental or malicious misconfiguration of the new IdP could introduce vulnerabilities, allowing attackers to exploit mismatches in user identities or authorization policies. 4. Supply Chain Attack If the new IdP itself is compromised, attackers could leverage that vulnerability to gain access to all users authenticating through it. Mitigation Check if the changes were legitimate. If not, revoke them and investigate further for any malicious activities. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert triggers whenever AWS Cloudtrail events result in more than the usual number of failures/errors. Notes: 1. This might result in false-positive cases. Please adjust the threshold value as per your business requirements. 2. For this alert to work, please enrich the field 'eventname' in the custom enrichment. This enrichment depends on a CSV file containing the important CloudTrail events. These event names are usually seen in CloudTrail logs in case of an attack. Impact A high number of error codes for the logged important events could indicate suspicious/malicious activities in the environment. Mitigation The logged events that resulted in the error codes could be part of day-to-day legitimate activities. So, please validate the legitimacy of these events and the error codes. If the user is unaware of these actions, investigate further for malicious activities.

This alert triggers whenever more than 1 type of Error code is seen within a time interval of 20 minutes for the CloudTrail events from a single user. 1. This might result in false-positive cases. Please adjust the threshold value as per your business requirements. 2. For this alert to work, please enrich the field 'eventname' in the custom enrichment. This enrichment depends on a CSV file containing the important CloudTrail events. These event names are usually seen in CloudTrail logs in case of an attack. Impact A high number of error codes for the logged important events could indicate suspicious/malicious activities in the environment. Mitigation The logged events that resulted in the error codes could be part of day-to-day legitimate activities. So, please validate the legitimacy of these events and the error codes. If the user is unaware of these actions, investigate further for malicious activities.

This alert triggers whenever more than 15 unique CloudTrail events are seen from a single user in a time interval of 20 minutes Notes: 1. This might result in false-positive cases. Please adjust the threshold value as per your business requirements. 2. For this alert to work, please enrich the field eventname in the custom enrichment. This enrichment depends on a CSV file containing the important CloudTrail events. These event names are usually seen in CloudTrail logs in case of an attack. Impact Multiple unique CloudTrail events in very short intervals of time from the same user could indicate suspicious/malicious activities in the environment. Mitigation These events could be part of day-to-day legitimate activities. So, please validate the legitimacy of these events. If the user is unaware of these actions, investigate further for malicious activities

This flow alert triggers whenever multiple Cloudtrail events are logged for a user within a short interval of time and some or all of these are logged with an error. Notes: 1. This might result in false-positive cases. Please adjust the threshold value as per your business requirements. 2. For this alert to work, please enrich the field 'eventname' in the custom enrichment. This enrichment depends on a CSV file containing the important CloudTrail events. These event names are usually seen in CloudTrail logs in case of an attack. Impact When CloudTrail logs events with error codes, it can have significant security implications. These error codes can indicate various issues or potential security threats. Here are the key impacts from a security point of view: 1. Unauthorized Access Attempts: AccessDenied: This error indicates that an entity tried to perform an action for which it does not have the necessary permissions. Repeated AccessDenied errors may signify attempted unauthorized access or privilege escalation attempts. 2. Brute Force Attacks: IncorrectAuthentication: This error could indicate failed login attempts, possibly signifying brute force attacks or unauthorized access attempts using stolen credentials. 3. Misconfiguration and Mismanagement: ThrottlingException: This error occurs when request limits are exceeded. It might suggest that an application or user is making excessive API calls, possibly as a result of a Denial of Service (DoS) attack or misconfigured automation scripts. Mitigation These events could be part of day-to-day legitimate activities. So, please validate the legitimacy of these events and the error codes generated. If the user is unaware of these actions, investigate further for malicious activities.