AWS EC2 Multi-Region DescribeInstances API Calls
Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second
window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/26"
3maturity = "production"
4updated_date = "2024/08/26"
5
6[rule]
7author = ["Elastic"]
8description = """
9Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second
10window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
11regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
12potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "AWS EC2 Multi-Region DescribeInstances API Calls"
18references = [
19 "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
20 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html",
21]
22risk_score = 21
23rule_id = "393ef120-63d1-11ef-8e38-f661ea17fbce"
24severity = "low"
25tags = [
26 "Domain: Cloud",
27 "Data Source: AWS",
28 "Data Source: AWS EC2",
29 "Use Case: Threat Detection",
30 "Tactic: Discovery",
31]
32timestamp_override = "event.ingested"
33type = "esql"
34
35query = '''
36from logs-aws.cloudtrail-*
37
38// filter for DescribeInstances API calls
39| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"
40
41// truncate the timestamp to a 30-second window
42| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
43
44// count the number of unique regions and total API calls within the 30-second window
45| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
46
47// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
48| where region_count >= 10 and window_count >= 10
49
50// sort the results by time windows in descending order
51| sort target_time_window desc
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1580"
59name = "Cloud Infrastructure Discovery"
60reference = "https://attack.mitre.org/techniques/T1580/"
61
62
63[rule.threat.tactic]
64id = "TA0007"
65name = "Discovery"
66reference = "https://attack.mitre.org/tactics/TA0007/"
References
-
FBot arms threat actors with a multi-function attack tool designed to hijack cloud, Saas and web services.
Read More -
Related rules
- AWS Service Quotas Multi-Region `GetServiceQuota` Requests
- Insecure AWS EC2 VPC Security Group Ingress Rule Added
- AWS EC2 EBS Snapshot Shared with Another Account
- EC2 AMI Shared with Another Account
- First Occurrence of STS GetFederationToken Request by User