An AWS account attempted to leave the AWS Organization

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect an AWS account attempting to leave an AWS organization.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the LeaveOrganization API call.

An attacker may attempt this API call for several reasons, such as:

  • Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.
  • Perform a denial of service (DoS) attack on the victim’s account that prevents the victim’s organization to access it.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Initiate your company’s incident response (IR) process.
  1. If the API call was made legitimately by the user:
  • Communicate with the user to understand if this was a planned action.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.
  • Initiate your company’s incident response (IR) process.