AWS ECS cluster deleted

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an attacker is destroying an ECS Cluster

Strategy

This rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:

Triage and response

  1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.
  2. Contact the user to see if they intended to make this API call.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.

Changelog

1 April 2022 - Updated rule query.