AWS EC2 Multi-Region DescribeInstances API Calls

  1[metadata]
  2creation_date = "2024/08/26"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/11/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second
 11window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
 12regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
 13potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
 14"""
 15false_positives = [
 16    """
 17    Legitimate use of the `DescribeInstances` API call by an AWS resource that requires information about instances in
 18    multiple regions.
 19    """,
 20    "Scheduled tasks or scripts that require information about instances in multiple regions.",
 21]
 22from = "now-9m"
 23language = "esql"
 24license = "Elastic License v2"
 25name = "AWS EC2 Multi-Region DescribeInstances API Calls"
 26note = """## Triage and Analysis
 27
 28### Investigating AWS EC2 Multi-Region DescribeInstances API Calls
 29
 30This rule detects instances where a single AWS resource makes `DescribeInstances` API calls in over 10 regions within a 30-second window. This could indicate an adversary using compromised credentials or an exploited resource to enumerate AWS infrastructure across multiple regions. Attackers often leverage multi-region enumeration to assess the overall cloud environment and find potential targets for further exploitation.
 31
 32#### Possible Investigation Steps
 33
 34- **Identify the Resource and Actor**:
 35  - **Actor ARN**: Check `aws.cloudtrail.user_identity.arn` to determine the exact identity performing the enumeration. Validate if the user is expected to perform region-wide `DescribeInstances` actions across multiple regions or if it seems unusual.
 36  - **Account and Role Details**: Examine `cloud.account.id` and `aws.cloudtrail.user_identity.session_context.session_issuer` for information about the AWS account and specific role associated with the action.
 37
 38- **Analyze API Call Patterns**:
 39  - **Frequency and Scope**: Review `cloud.region` field and confirm if this specific resource commonly performs `DescribeInstances` calls across multiple regions.
 40  - **Time Window Context**: Compare the timing of the API calls within the `target_time_window` to determine if this burst pattern aligns with expected system usage or is potentially malicious.
 41
 42- **Check User Agent and Tooling**:
 43  - **Source and User Agent**: Verify `user_agent.original` to determine if the request was made through expected tooling (e.g., AWS CLI or SDK) or a third-party tool that might indicate non-standard access.
 44  - **Source IP Address**: Look into `source.address` to identify the origin of the calls. Unusual IP addresses, especially those outside expected ranges, may indicate compromised access.
 45
 46- **Evaluate for Potential Reconnaissance Behavior**:
 47  - **Account and Region Enumeration**: Adversaries may use region-wide `DescribeInstances` requests to discover resources within an account across different regions. Confirm if this access aligns with operational practices or represents excessive access.
 48  - **Permissions and Roles**: Investigate the permissions associated with the user role. Excessive permissions on a compromised role may allow broader enumeration, which should be restricted.
 49
 50- **Review Related CloudTrail Events**:
 51  - **Additional Describe or List Actions**: Identify any associated `Describe` or `List` API calls that may indicate further enumeration of other AWS services within the same timeframe.
 52  - **Potential Preceding Events**: Look for preceding login or access events from the same actor, as these may indicate potential credential compromise or unauthorized escalation of privileges.
 53
 54### False Positive Analysis
 55
 56- **Expected Enumeration**: Certain administrative or automation scripts may conduct broad `DescribeInstances` API calls for inventory purposes. Review usage patterns or consult relevant teams to validate the purpose.
 57- **Automated Cloud Management**: Some automated services may perform regional checks for compliance or backup operations. If this rule is triggered repeatedly by a known service, consider whitelisting or tuning accordingly.
 58
 59### Response and Remediation
 60
 61- **Review IAM Policies and Role Permissions**: Limit the permissions of roles associated with this resource, restricting unnecessary multi-region enumeration access.
 62- **Enforce Least Privilege Access**: Ensure that permissions for DescribeInstances are tightly controlled and restricted to specific roles or accounts that require multi-region access.
 63- **Increase Monitoring and Alerts**: Set up additional monitoring on this role or account for further signs of unauthorized activity or lateral movement attempts.
 64- **Access Review**: Conduct a review of users and entities with `DescribeInstances` permissions, especially for multi-region capabilities, and ensure these permissions are necessary for their functions.
 65
 66### Additional Information
 67
 68For further information on AWS `DescribeInstances` permissions and best practices, refer to the [AWS DescribeInstances API documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html).
 69"""
 70references = [
 71    "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
 72    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html",
 73]
 74risk_score = 21
 75rule_id = "393ef120-63d1-11ef-8e38-f661ea17fbce"
 76severity = "low"
 77tags = [
 78    "Domain: Cloud",
 79    "Data Source: AWS",
 80    "Data Source: AWS EC2",
 81    "Resources: Investigation Guide",
 82    "Use Case: Threat Detection",
 83    "Tactic: Discovery",
 84]
 85timestamp_override = "event.ingested"
 86type = "esql"
 87
 88query = '''
 89from logs-aws.cloudtrail-*
 90
 91// filter for DescribeInstances API calls
 92| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"
 93
 94// truncate the timestamp to a 30-second window
 95| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
 96
 97// keep only the relevant fields
 98| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region
 99
100// count the number of unique regions and total API calls within the 30-second window
101| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
102
103// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
104| where region_count >= 10 and window_count >= 10
105
106// sort the results by time windows in descending order
107| sort target_time_window desc
108'''
109
110[rule.investigation_fields]
111field_names = [
112    "aws.cloudtrail.user_identity.arn",
113    "target_time_window",
114    "region_count",
115    "window_count"
116]
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1580"
122name = "Cloud Infrastructure Discovery"
123reference = "https://attack.mitre.org/techniques/T1580/"
124
125
126[rule.threat.tactic]
127id = "TA0007"
128name = "Discovery"
129reference = "https://attack.mitre.org/tactics/TA0007/"