Skip to content

Latest commit

 

History

History
28 lines (26 loc) · 12.9 KB

ds_amazon_aws_waf.md

File metadata and controls

28 lines (26 loc) · 12.9 KB

Vendor: Amazon

Product: AWS WAF

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
75 27 21 2 0
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 6 Rules
  • 6 Models
Compromised Credentials http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 40 Rules
  • 22 Models
Cryptomining http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 1 Rules
Data Exfiltration http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Data Leak http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 6 Rules
  • 2 Models
Lateral Movement http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
  • 9 Rules
Malware http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Phishing http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1189 - Drive-by Compromise
T1204 - User Execution
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1598 - T1598
T1598.003 - T1598.003
  • 3 Rules
Privilege Abuse http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Privileged Activity http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
  • 2 Rules
Ransomware http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest

http-session:fail (web-activity-denied)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Workforce Protection http-traffic:success (web-activity-allowed)
aws-waf-json-http-session-httprequest
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

User Execution

Valid Accounts

Valid Accounts

Valid Accounts

Internal Spearphishing

Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over C2 Channel

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

Resource Hijacking