0xtf · May 1, 2020 23:15
diff --git a/sigma-with-failure-logic.yaml b/sigma-with-failure-logic.yaml
 title: AWS EC2 VM Export failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
 description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
 references:
  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance     
 author: Diogo Braz
 date: 2020/04/16
 tags:
  - attack.collection    
  - attack.t1005      
  - attack.exfiltration
  - attack.t1537
 level: low
 logsource:
  service: cloudtrail
 detection:
  selection:           
    eventName: 'CreateInstanceExportTask'
    eventSource: 'ec2.amazonaws.com'
  filter1:
    errorMessage: '*'
  filter2:
    errorCode: '*'
  filter3:
    eventName: 'ConsoleLogin'
    responseElements: '*Failure*'
  condition: selection and (filter1 or filter2 or filter3)
	title: AWS EC2 VM Export failure
	id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
	status: experimental
	description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
	references:
	- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
	author: Diogo Braz
	date: 2020/04/16
	tags:
	- attack.collection
	- attack.t1005
	- attack.exfiltration
	- attack.t1537
	level: low
	logsource:
	service: cloudtrail
	detection:
	selection:
	eventName: 'CreateInstanceExportTask'
	eventSource: 'ec2.amazonaws.com'
	filter1:
	errorMessage: '*'
	filter2:
	errorCode: '*'
	filter3:
	eventName: 'ConsoleLogin'
	responseElements: 'Failure'
	condition: selection and (filter1 or filter2 or filter3)