AWS Compromise Assessment compiles the events and Indicator of Compromise (IoC) from CloudTrail Logs after an incident has occurred or appears to be compromised. It will assist in obtaining complete critical event data and making it easier for threat hunters for future forensics.
Component | README |
---|---|
python version > 3.6 | Must be pre-installed in computer in order to run the compromise assessment script |
Configure AWS SDK | Using AWS CLI you have to configure the AWS SDK |
Operating system | Windows or Ubuntu/Linux |
CPU | Core 2 CPU or more |
Memory | 4 GB RAM |
- Scrpit will show
50000
record of cloudtrail logs by default or if you want to customize it you can give-record_limit
argument to the command. - Script will show cloudtrail logs according to
days
argument (60
or90
) in the command line default is90
or you can give your days using-days
command line argument. - Script will also gives you a cloudtrail logs based on AWS services using the argument called
-service_name
. - Script will shows the logs in the tabular format.
- Log table provide pagination functionality for traverse throught the logs.
- Log table also provide a functionality for searching a logs according to event category.
- Script will show you the
Analytic (statastical)
table. - Script will display the
histogram
andpie chart
according to analytic table.
Python for Windows
https://www.digitalocean.com/community/tutorials/install-python-windows-10
Python for Ubuntu/Linux
https://www.makeuseof.com/install-python-ubuntu/
Install AWS CLI from the link given below
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Run the following command and provide your aws credentials to setup the AWS ADK on your system.
aws configure
Open the command prompt or terminal on your system then reach to project directory and run the following command
pip3 install -r requirements.txt
https://github.com/Infopercept/compromise-assessment
If you are
Windows
user then usepython
for running the script.
or
If you are
Ubunt/Linux/MacOs
user then usepython3
for runnig the script.
Type the following command
python3 compromise-assessment.py -h
or
python3 compromise-assessment.py --help
Result
- You can use this arguments to make user specific choices and arguments optionals are
days
,record_limit
, andservice_name
. - Commands you can use:
Command | Description |
---|---|
python3 compromise-assessment.py | This command gives you the 90 days cloudtrail records as default it takes 90 days,it will take all services and it will return 5000 record by default. |
python3 compromise-assessment.py -days 60 | This command gives you the 60 days cloudtrail records, it will take all services and it will return 5000 record by default. |
python3 compromise-assessment.py -days 90 | This command gives you the 90 days cloudtrail records, it will take all services and it will return 5000 record by default. |
python3 compromise-assessment.py -record_limit 1000 | This command gives you the 90 days cloudtrail records as default, it will take all services and it will return 1000 record. |
python3 compromise-assessment.py -service_name s3 | This command gives you the 90 days cloudtrail records as default, it will take S3 services and it will return 5000 record. |
python3 compromise-assessment.py -days 60 -service_name iam | This command gives you the 60 days cloudtrail records, it will take IAM services and it will return 5000 record. |
python3 compromise-assessment.py -days 70 -record_limit 5000 -service_name lambda | This command gives you the 70 days cloudtrail records, it will take LAMBDA services and it will return 5000 record. |
Licensed under the (https://www.infopercept.com/) License, Version 3.0. Copyright 2022 Infopercept. Copy of the license.
Bhavik Prajapati 💻 |
👤 Bhavik Prajapati
- Github: @BhavikDevInfopercept