UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

89 lines (88 loc) 3.12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
title: AWS API Calls from Unusual Geographic Region id: 6b3c5d7e-2f4a-6b8c-1d3e-5f6a7b8c9d0e status: stable description: Detects AWS API calls originating from regions that are unusual for the account's normal operating pattern. Calls from unexpected regions may indicate use of compromised credentials from a different geographic location than the legitimate user, or an attacker using a VPN or proxy endpoint in an unexpected region. references: - https://attack.mitre.org/techniques/T1078/ - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html author: forensics-complete date: 2025-11-14 modified: 2025-11-14 tags: - attack.initial_access - attack.t1078 - attack.credential_access - attack.t1078.004 logsource: product: aws service: cloudtrail detection: selection: eventSource: '*' # Regions that are commonly associated with attacker infrastructure or # are unlikely to be used by legitimate users in most organizations. # Adjust this list based on the organization's actual operating regions. awsRegion: - 'ap-east-1' - 'af-south-1' - 'me-south-1' - 'eu-south-1' filter_expected_services: # Exclude automated/service-to-service calls that legitimately span regions userIdentity.type: 'AWSService' filter_replication: # Exclude replication-related events eventName: - 'ReplicateObject' - 'ReplicateDelete' - 'ReplicateTags' condition: selection and not filter_expected_services and not filter_replication falsepositives: - Legitimate users traveling or working from an unexpected region - New business expansion into a region not previously used - Global services that automatically use nearest region - VPN or corporate proxy endpoints in unexpected regions level: medium fields: - eventTime - awsRegion - userIdentity.arn - userIdentity.type - eventName - eventSource - sourceIPAddress - userAgent --- # Tuning Instructions # # This rule REQUIRES tuning before deployment. The awsRegion list in the # detection section must be adjusted to match the organization's baseline: # # Step 1: Determine normal operating regions # SELECT awsregion, count(*) as event_count # FROM cloudtrail_logs # WHERE eventtime > date_add('day', -90, now()) # GROUP BY awsregion # ORDER BY event_count DESC; # # Step 2: Define the allowlist of expected regions based on Step 1 results # # Step 3: Update the awsRegion list to include only regions NOT in the allowlist # # Step 4: Add baseline exceptions for services that legitimately use global regions # # Detection Logic Note (Athena): # # SELECT eventtime, awsregion, useridentity.arn, eventname, sourceipaddress # FROM cloudtrail_logs # WHERE awsregion NOT IN ('us-east-1', 'us-west-2', 'eu-west-1') -- your normal regions # AND useridentity.type != 'AWSService' # AND eventtime > '2025-11-01' # ORDER BY eventtime; # # Enrich source IP with geolocation to confirm the geographic anomaly: # # curl -s "https://ipinfo.io/<sourceIPAddress>/json" | jq '{ip,city,country,org}'