Add files via upload

rules/cloud/aws_enum_listing.yml

@@ -0,0 +1,22 @@
+title: AWS Enumeration of Accounts 
+id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 
+status: experimental
+description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.  
+author: toffeebr33k
+date: 2020/11/21
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: *
+    selection_eventname:
+        - eventName: list*
+    timeframe: 10m
+    condition: count() > 50 by userIdentity.arn 
+
+falsepositives:
+    - AWS Config or other configuration scanning activities
+level: low
+tags:
+    - attack.discovery
+    - attack.t1592

rules/cloud/aws_update_login_profile.yml

@@ -0,0 +1,29 @@
+title: AWS updating an existing login profile 
+id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
+status: experimental
+description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.
+author: toffeebr33k
+date: 2020/11/21
+references:
+    - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: iam.amazonaws.com
+    selection_eventname:
+        - eventName: UpdateLoginProfile
+    filter:
+        userIdentity.arn|contains: responseElements.accessKey.userName
+    condition: all of selection* and not filter
+fields:
+    - userIdentity.arn
+    - responseElements.accessKey.userName
+    - errorCode
+    - errorMessage
+falsepositives:
+    - Legit User Account Administration 
+level: medium
+tags:
+    - attack.persistence
+    - attack.t1098