Skip to content

Add new guardduty ip set

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to add a new GuardDuty IP whitelist in order to whitelist systems they control and reduce the chance of malicious activity being detected.

MITRE IDs

Required Permissions

  • guardduty:CreateIPSet

Required Parameters

Name Type Description Example Value
detectorid str ID of the guardduty detector associated with the IP set list 12345
format str Format of the new IP set list - choice of TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE TXT
location str Location of the IP whitelist http://www.example.com

Attacker Action

aws guardduty create-ip-set --activate --detector-id 12345 --ip-set-id  --location http://www.example.com

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreateIPSet AND eventSource:*.guardduty.amazonaws.com  

Sigma Definition

---
title: Add new guardduty ip set
id: faf89476-061a-4c29-8f9c-2ed65e65de2e
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to add a new GuardDuty IP whitelist in order to whitelist systems they control and reduce the chance of malicious activity being detected.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "*.guardduty.amazonaws.com"
  events:
    - eventName: "CreateIPSet"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089