Skip to content

Latest commit

 

History

History
28 lines (26 loc) · 38 KB

ds_amazon_aws_guardduty.md

File metadata and controls

28 lines (26 loc) · 38 KB

Vendor: Amazon

Product: AWS GuardDuty

Rules Models MITRE TTPs Event Types Parsers
462 57 102 1 1
Use-Case Event Types/Parsers MITRE TTP Content
Account Manipulation process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1175 - T1175
T1531 - Account Access Removal
  • 19 Rules
  • 8 Models
Audit Tampering process-created
cef-aws-guardduty
 T1047 - Windows Management Instrumentation
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
  • 7 Rules
Compromised Credentials process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1016 - System Network Configuration Discovery
T1036 - Masquerading
T1040 - Network Sniffing
T1059.001 - Command and Scripting Interperter: PowerShell
T1547.004 - T1547.004
  • 43 Rules
  • 7 Models
Cryptomining process-created
cef-aws-guardduty
 T1496 - Resource Hijacking
  • 2 Rules
Data Access process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
  • 2 Rules
Data Exfiltration process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Evasion process-created
cef-aws-guardduty
 T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1053 - Scheduled Task/Job
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1064 - Scripting
T1070 - Indicator Removal on Host
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1132.001 - Data Encoding: Standard Encoding
T1140 - Deobfuscate/Decode Files or Information
T1202 - Indirect Command Execution
T1211 - Exploitation for Defense Evasion
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1542.003 - T1542.003
T1543.003 - Create or Modify System Process: Windows Service
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1564.004 - Hide Artifacts: NTFS File Attributes
  • 38 Rules
Lateral Movement process-created
cef-aws-guardduty
 T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1021.003 - T1021.003
T1047 - Windows Management Instrumentation
T1059 - Command and Scripting Interperter
T1083 - File and Directory Discovery
T1090 - Proxy
T1135 - Network Share Discovery
T1175 - T1175
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1219 - Remote Access Software
  • 44 Rules
  • 2 Models
Malware process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.012 - T1055.012
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.002 - T1059.002
T1059.003 - T1059.003
T1059.004 - T1059.004
T1059.005 - T1059.005
T1059.006 - T1059.006
T1064 - Scripting
T1070.005 - T1070.005
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1140 - Deobfuscate/Decode Files or Information
T1175 - T1175
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1220 - XSL Script Processing
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1547.001 - T1547.001
T1557.001 - T1557.001
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1566.001 - T1566.001
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
  • 239 Rules
  • 33 Models
Privilege Abuse process-created
cef-aws-guardduty
 T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1531 - Account Access Removal
  • 13 Rules
  • 8 Models
Privilege Escalation process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
Ransomware process-created
cef-aws-guardduty
 T1003 - OS Credential Dumping
T1055 - Process Injection
T1070 - Indicator Removal on Host
T1070.004 - Indicator Removal on Host: File Deletion
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1490 - Inhibit System Recovery
  • 8 Rules

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Valid Accounts

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Scripting

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Create Account

Create or Modify System Process

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

 Access Token Manipulation: Token Impersonation/Theft

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Hijack Execution Flow: DLL Side-Loading

Indicator Removal on Host: File Deletion

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Hide Artifacts: NTFS File Attributes

Indicator Removal on Host

Pre-OS Boot

File and Directory Permissions Modification

XSL Script Processing

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Exploitation for Defense Evasion

Hijack Execution Flow

Process Injection

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Input Capture

Unsecured Credentials

Man-in-the-Middle

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Network Service Scanning

Account Discovery

Domain Trust Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Services

Remote Services: SMB/Windows Admin Shares

Remote Services: Remote Desktop Protocol

 Input Capture

Audio Capture

Archive Collected Data

Man-in-the-Middle

 Data Encoding

Data Encoding: Standard Encoding

Remote Access Software

Ingress Tool Transfer

Proxy

 Exfiltration Over Alternative Protocol

Automated Exfiltration

 Account Access Removal

Resource Hijacking

Inhibit System Recovery