← Library
sigmaDRL-1.1from SigmaHQ/sigma

AWS EFS Fileshare Mount Modified or Deleted

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1485
Rule sourcerules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
references:
    - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticfilesystem.amazonaws.com
        eventName: DeleteMountTarget
    condition: selection
falsepositives:
    - Unknown
level: medium