AWS Discovery API Calls via CLI from a Single Resource

  1[metadata]
  2creation_date = "2024/11/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This
 11behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
 12compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
 13gain a better understanding of the target's infrastructure.
 14"""
 15false_positives = [
 16    """
 17    Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short
 18    time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected.
 19    """,
 20]
 21from = "now-9m"
 22language = "esql"
 23license = "Elastic License v2"
 24name = "AWS Discovery API Calls via CLI from a Single Resource"
 25note = """## Triage and analysis
 26
 27### Investigating AWS Discovery API Calls via CLI from a Single Resource
 28
 29This rule detects multiple discovery-related API calls (`Describe`, `List`, or `Get` actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access.
 30
 31#### Possible Investigation Steps
 32
 33- **Identify the Actor and Resource**:
 34  - **User Identity and Resource**: Examine `aws.cloudtrail.user_identity.arn` to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected.
 35  - **User Agent and Tooling**: Check `user_agent.name` to confirm whether the `aws-cli` tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access.
 36
 37- **Evaluate the Context and Scope of API Calls**:
 38  - **API Action Types**: Look into the specific actions under `event.action` for API calls like `Describe*`, `List*`, or `Get*`. Note if these calls are targeting sensitive services, such as `EC2`, `IAM`, or `S3`, which may suggest an attempt to identify high-value assets.
 39  - **Time Pattern Analysis**: Review the `time_window` and `unique_api_count` to assess whether the frequency of these calls is consistent with normal patterns for this resource or user.
 40
 41- **Analyze Potential Compromise Indicators**:
 42  - **Identity Type**: Review `aws.cloudtrail.user_identity.type` to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise.
 43  - **Source IP and Geographic Location**: Examine the `source.ip` and `source.geo` fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access.
 44
 45- **Examine Related CloudTrail Events**:
 46  - **Pivot for Related Events**: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as `AssumeRole`, `GetSessionToken`, or `CreateAccessKey` in proximity to these discovery calls may signal an attempt to escalate privileges.
 47  - **Look for Anomalous Patterns**: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation.
 48
 49### False Positive Analysis
 50
 51- **Expected Discovery Activity**: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks.
 52- **Routine Admin or Automated Access**: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives.
 53
 54### Response and Remediation
 55
 56- **Confirm Authorized Access**: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions.
 57- **Review and Remove Unauthorized API Calls**: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse.
 58- **Enhance Monitoring for Discovery Patterns**: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources.
 59- **Policy Review and Updates**: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery.
 60
 61### Additional Information
 62
 63For further guidance on AWS infrastructure discovery and best practices, refer to [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html) and MITRE ATT&CK’s [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580/).
 64"""
 65references = ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/"]
 66risk_score = 21
 67rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd"
 68severity = "low"
 69tags = [
 70    "Domain: Cloud",
 71    "Data Source: AWS",
 72    "Data Source: AWS EC2",
 73    "Data Source: AWS IAM",
 74    "Data Source: AWS S3",
 75    "Use Case: Threat Detection",
 76    "Tactic: Discovery",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "esql"
 81
 82query = '''
 83from logs-aws.cloudtrail*
 84
 85// create time window buckets of 10 seconds
 86| eval time_window = date_trunc(10 seconds, @timestamp)
 87| where
 88    event.dataset == "aws.cloudtrail"
 89
 90    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
 91    and event.provider in (
 92      "iam.amazonaws.com",
 93      "ec2.amazonaws.com",
 94      "s3.amazonaws.com",
 95      "rds.amazonaws.com",
 96      "lambda.amazonaws.com",
 97      "dynamodb.amazonaws.com",
 98      "kms.amazonaws.com",
 99      "cloudfront.amazonaws.com",
100      "elasticloadbalancing.amazonaws.com",
101      "cloudfront.amazonaws.com"
102    )
103
104    // ignore AWS service actions
105    and aws.cloudtrail.user_identity.type != "AWSService"
106
107    // filter for aws-cli specifically
108    and user_agent.name == "aws-cli"
109
110    // exclude DescribeCapacityReservations events related to AWS Config
111    and not event.action in ("DescribeCapacityReservations")
112
113// filter for Describe, Get, List, and Generate API calls
114| where true in (
115    starts_with(event.action, "Describe"),
116    starts_with(event.action, "Get"),
117    starts_with(event.action, "List"),
118    starts_with(event.action, "Generate")
119)
120// extract owner, identity type, and actor from the ARN
121| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
122| where starts_with(actor, "AWSServiceRoleForConfig") != true
123| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
124| stats
125    // count the number of unique API calls per time window and actor
126    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn
127
128// filter for more than 5 unique API calls per time window
129| where unique_api_count > 5
130
131// sort the results by the number of unique API calls in descending order
132| sort unique_api_count desc
133'''
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1580"
140name = "Cloud Infrastructure Discovery"
141reference = "https://attack.mitre.org/techniques/T1580/"
142
143
144[rule.threat.tactic]
145id = "TA0007"
146name = "Discovery"
147reference = "https://attack.mitre.org/tactics/TA0007/"
148
149[rule.investigation_fields]
150field_names = ["time_window", "aws.cloudtrail.user_identity.arn", "unique_api_count"]