AWS Discovery API Calls via CLI from a Single Resource

  1[metadata]
  2creation_date = "2024/11/04"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
  6min_stack_version = "8.13.0"
  7updated_date = "2024/11/07"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This
 13behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
 14compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
 15gain a better understanding of the target's infrastructure.
 16"""
 17false_positives = [
 18    """
 19    Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short
 20    time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected.
 21    """,
 22]
 23from = "now-9m"
 24language = "esql"
 25license = "Elastic License v2"
 26name = "AWS Discovery API Calls via CLI from a Single Resource"
 27note = """## Triage and Analysis
 28
 29### Investigating AWS Discovery API Calls via CLI from a Single Resource
 30
 31This rule detects multiple discovery-related API calls (`Describe`, `List`, or `Get` actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access.
 32
 33#### Possible Investigation Steps
 34
 35- **Identify the Actor and Resource**:
 36  - **User Identity and Resource**: Examine `aws.cloudtrail.user_identity.arn` to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected.
 37  - **User Agent and Tooling**: Check `user_agent.name` to confirm whether the `aws-cli` tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access.
 38
 39- **Evaluate the Context and Scope of API Calls**:
 40  - **API Action Types**: Look into the specific actions under `event.action` for API calls like `Describe*`, `List*`, or `Get*`. Note if these calls are targeting sensitive services, such as `EC2`, `IAM`, or `S3`, which may suggest an attempt to identify high-value assets.
 41  - **Time Pattern Analysis**: Review the `time_window` and `unique_api_count` to assess whether the frequency of these calls is consistent with normal patterns for this resource or user.
 42
 43- **Analyze Potential Compromise Indicators**:
 44  - **Identity Type**: Review `aws.cloudtrail.user_identity.type` to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise.
 45  - **Source IP and Geographic Location**: Examine the `source.ip` and `source.geo` fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access.
 46
 47- **Examine Related CloudTrail Events**:
 48  - **Pivot for Related Events**: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as `AssumeRole`, `GetSessionToken`, or `CreateAccessKey` in proximity to these discovery calls may signal an attempt to escalate privileges.
 49  - **Look for Anomalous Patterns**: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation.
 50
 51### False Positive Analysis
 52
 53- **Expected Discovery Activity**: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks.
 54- **Routine Admin or Automated Access**: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives.
 55
 56### Response and Remediation
 57
 58- **Confirm Authorized Access**: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions.
 59- **Review and Remove Unauthorized API Calls**: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse.
 60- **Enhance Monitoring for Discovery Patterns**: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources.
 61- **Policy Review and Updates**: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery.
 62
 63### Additional Information
 64
 65For further guidance on AWS infrastructure discovery and best practices, refer to [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html) and MITRE ATT&CK’s [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580/).
 66"""
 67references = ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/"]
 68risk_score = 21
 69rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd"
 70severity = "low"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: AWS EC2",
 75    "Data Source: AWS IAM",
 76    "Data Source: AWS S3",
 77    "Use Case: Threat Detection",
 78    "Tactic: Discovery",
 79]
 80timestamp_override = "event.ingested"
 81type = "esql"
 82
 83query = '''
 84from logs-aws.cloudtrail*
 85
 86// create time window buckets of 10 seconds
 87| eval time_window = date_trunc(10 seconds, @timestamp)
 88| where
 89    event.dataset == "aws.cloudtrail"
 90
 91    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
 92    and event.provider in (
 93      "iam.amazonaws.com",
 94      "ec2.amazonaws.com",
 95      "s3.amazonaws.com",
 96      "rds.amazonaws.com",
 97      "lambda.amazonaws.com",
 98      "dynamodb.amazonaws.com",
 99      "kms.amazonaws.com",
100      "cloudfront.amazonaws.com",
101      "elasticloadbalancing.amazonaws.com",
102      "cloudfront.amazonaws.com"
103    )
104
105    // ignore AWS service actions
106    and aws.cloudtrail.user_identity.type != "AWSService"
107
108    // filter for aws-cli specifically
109    and user_agent.name == "aws-cli"
110
111    // exclude DescribeCapacityReservations events related to AWS Config
112    and not event.action in ("DescribeCapacityReservations")
113
114// filter for Describe, Get, List, and Generate API calls
115| where true in (
116    starts_with(event.action, "Describe"),
117    starts_with(event.action, "Get"),
118    starts_with(event.action, "List"),
119    starts_with(event.action, "Generate")
120)
121// extract owner, identity type, and actor from the ARN
122| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
123| where starts_with(actor, "AWSServiceRoleForConfig") != true
124| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
125| stats
126    // count the number of unique API calls per time window and actor
127    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn
128
129// filter for more than 5 unique API calls per time window
130| where unique_api_count > 5
131
132// sort the results by the number of unique API calls in descending order
133| sort unique_api_count desc
134'''
135
136[rule.investigation_fields]
137field_names = [
138    "time_window",
139    "aws.cloudtrail.user_identity.arn",
140    "unique_api_count"
141]
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1580"
147name = "Cloud Infrastructure Discovery"
148reference = "https://attack.mitre.org/techniques/T1580/"
149
150
151[rule.threat.tactic]
152id = "TA0007"
153name = "Discovery"
154reference = "https://attack.mitre.org/tactics/TA0007/"