sigmamediumHunting

AWS EFS Fileshare Mount Modified or Deleted

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

MITRE ATT&CK

T1485

impact

Detection Query

selection:
  eventSource: elasticfilesystem.amazonaws.com
  eventName: DeleteMountTarget
condition: selection

Author

Austin Songer @austinsonger

Created

2021-08-15

Data Sources

awscloudtrail

Platforms

aws

References

https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html

Tags

attack.impactattack.t1485

Raw Content

title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
references:
    - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticfilesystem.amazonaws.com
        eventName: DeleteMountTarget
    condition: selection
falsepositives:
    - Unknown
level: medium