LetsDefend: Cloud Forensics
Scenario: Unusual activity detected in AWS Console. Artifacts: CloudTrail JSON logs.
1. Analysis
We filter for ConsoleLogin.
We see a login from a suspicious IP (Russia) using the admin user.
UserAgent: Kali Linux. (Subtle!).
2. Impact Analysis
What did they do?
Filter for RunInstances.
They spun up 10 massive GPU instances (p3.16xlarge).
Purpose: Crypto Mining.
3. Remediation
- Revoke IAM Keys.
- Terminate instances.
- Enable MFA.
