AWS FSx Excessive File Denied

amazon-fsx

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1083-file-and-directory-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect and identify users accessing files they do not have permission to access.

Strategy

Monitor AWS FSx logs and detect more than 10 occurrences where @evt.id is equal to 4656 and @Event.System.Keywords is equal to 0x8010000000000000.

Triage & Response

  1. Inspect the log and determine if the user should be accessing the file: {{@ObjectName}}.
  2. If access is not legitimate, investigate user ({{@usr.id}}) activity.