AWS Discovery API Calls via CLI from a Single Resource
Detects when a single AWS resource is running multiple Describe
and List
API calls in a 10-second window. This
behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
gain a better understanding of the target's infrastructure.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/11/04"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
6min_stack_version = "8.13.0"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This
13behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
14compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
15gain a better understanding of the target's infrastructure.
16"""
17false_positives = [
18 """
19 Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short
20 time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected.
21 """,
22]
23from = "now-9m"
24language = "esql"
25license = "Elastic License v2"
26name = "AWS Discovery API Calls via CLI from a Single Resource"
27note = """## Triage and analysis
28
29### Investigating AWS Discovery API Calls via CLI from a Single Resource
30
31This rule detects multiple discovery-related API calls (`Describe`, `List`, or `Get` actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access.
32
33#### Possible Investigation Steps
34
35- **Identify the Actor and Resource**:
36 - **User Identity and Resource**: Examine `aws.cloudtrail.user_identity.arn` to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected.
37 - **User Agent and Tooling**: Check `user_agent.name` to confirm whether the `aws-cli` tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access.
38
39- **Evaluate the Context and Scope of API Calls**:
40 - **API Action Types**: Look into the specific actions under `event.action` for API calls like `Describe*`, `List*`, or `Get*`. Note if these calls are targeting sensitive services, such as `EC2`, `IAM`, or `S3`, which may suggest an attempt to identify high-value assets.
41 - **Time Pattern Analysis**: Review the `time_window` and `unique_api_count` to assess whether the frequency of these calls is consistent with normal patterns for this resource or user.
42
43- **Analyze Potential Compromise Indicators**:
44 - **Identity Type**: Review `aws.cloudtrail.user_identity.type` to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise.
45 - **Source IP and Geographic Location**: Examine the `source.ip` and `source.geo` fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access.
46
47- **Examine Related CloudTrail Events**:
48 - **Pivot for Related Events**: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as `AssumeRole`, `GetSessionToken`, or `CreateAccessKey` in proximity to these discovery calls may signal an attempt to escalate privileges.
49 - **Look for Anomalous Patterns**: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation.
50
51### False Positive Analysis
52
53- **Expected Discovery Activity**: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks.
54- **Routine Admin or Automated Access**: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives.
55
56### Response and Remediation
57
58- **Confirm Authorized Access**: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions.
59- **Review and Remove Unauthorized API Calls**: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse.
60- **Enhance Monitoring for Discovery Patterns**: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources.
61- **Policy Review and Updates**: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery.
62
63### Additional Information
64
65For further guidance on AWS infrastructure discovery and best practices, refer to [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html) and MITRE ATT&CK’s [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580/).
66"""
67references = ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/"]
68risk_score = 21
69rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd"
70severity = "low"
71tags = [
72 "Domain: Cloud",
73 "Data Source: AWS",
74 "Data Source: AWS EC2",
75 "Data Source: AWS IAM",
76 "Data Source: AWS S3",
77 "Use Case: Threat Detection",
78 "Tactic: Discovery",
79 "Resources: Investigation Guide",
80]
81timestamp_override = "event.ingested"
82type = "esql"
83
84query = '''
85from logs-aws.cloudtrail*
86
87// create time window buckets of 10 seconds
88| eval time_window = date_trunc(10 seconds, @timestamp)
89| where
90 event.dataset == "aws.cloudtrail"
91
92 // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
93 and event.provider in (
94 "iam.amazonaws.com",
95 "ec2.amazonaws.com",
96 "s3.amazonaws.com",
97 "rds.amazonaws.com",
98 "lambda.amazonaws.com",
99 "dynamodb.amazonaws.com",
100 "kms.amazonaws.com",
101 "cloudfront.amazonaws.com",
102 "elasticloadbalancing.amazonaws.com",
103 "cloudfront.amazonaws.com"
104 )
105
106 // ignore AWS service actions
107 and aws.cloudtrail.user_identity.type != "AWSService"
108
109 // filter for aws-cli specifically
110 and user_agent.name == "aws-cli"
111
112 // exclude DescribeCapacityReservations events related to AWS Config
113 and not event.action in ("DescribeCapacityReservations")
114
115// filter for Describe, Get, List, and Generate API calls
116| where true in (
117 starts_with(event.action, "Describe"),
118 starts_with(event.action, "Get"),
119 starts_with(event.action, "List"),
120 starts_with(event.action, "Generate")
121)
122// extract owner, identity type, and actor from the ARN
123| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
124| where starts_with(actor, "AWSServiceRoleForConfig") != true
125| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
126| stats
127 // count the number of unique API calls per time window and actor
128 unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn
129
130// filter for more than 5 unique API calls per time window
131| where unique_api_count > 5
132
133// sort the results by the number of unique API calls in descending order
134| sort unique_api_count desc
135'''
136
137[rule.investigation_fields]
138field_names = [
139 "time_window",
140 "aws.cloudtrail.user_identity.arn",
141 "unique_api_count"
142]
143
144[[rule.threat]]
145framework = "MITRE ATT&CK"
146[[rule.threat.technique]]
147id = "T1580"
148name = "Cloud Infrastructure Discovery"
149reference = "https://attack.mitre.org/techniques/T1580/"
150
151
152[rule.threat.tactic]
153id = "TA0007"
154name = "Discovery"
155reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Investigating AWS Discovery API Calls via CLI from a Single Resource
This rule detects multiple discovery-related API calls (Describe
, List
, or Get
actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access.
Possible Investigation Steps
-
Identify the Actor and Resource:
- User Identity and Resource: Examine
aws.cloudtrail.user_identity.arn
to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected. - User Agent and Tooling: Check
user_agent.name
to confirm whether theaws-cli
tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access.
- User Identity and Resource: Examine
-
Evaluate the Context and Scope of API Calls:
- API Action Types: Look into the specific actions under
event.action
for API calls likeDescribe*
,List*
, orGet*
. Note if these calls are targeting sensitive services, such asEC2
,IAM
, orS3
, which may suggest an attempt to identify high-value assets. - Time Pattern Analysis: Review the
time_window
andunique_api_count
to assess whether the frequency of these calls is consistent with normal patterns for this resource or user.
- API Action Types: Look into the specific actions under
-
Analyze Potential Compromise Indicators:
- Identity Type: Review
aws.cloudtrail.user_identity.type
to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise. - Source IP and Geographic Location: Examine the
source.ip
andsource.geo
fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access.
- Identity Type: Review
-
Examine Related CloudTrail Events:
- Pivot for Related Events: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as
AssumeRole
,GetSessionToken
, orCreateAccessKey
in proximity to these discovery calls may signal an attempt to escalate privileges. - Look for Anomalous Patterns: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation.
- Pivot for Related Events: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as
False Positive Analysis
- Expected Discovery Activity: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks.
- Routine Admin or Automated Access: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives.
Response and Remediation
- Confirm Authorized Access: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions.
- Review and Remove Unauthorized API Calls: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse.
- Enhance Monitoring for Discovery Patterns: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources.
- Policy Review and Updates: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery.
Additional Information
For further guidance on AWS infrastructure discovery and best practices, refer to AWS CloudTrail documentation and MITRE ATT&CK’s Cloud Infrastructure Discovery.
References
Related rules
- AWS EC2 Deprecated AMI Discovery
- AWS EC2 Multi-Region DescribeInstances API Calls
- AWS EC2 EBS Snapshot Shared or Made Public
- AWS S3 Bucket Policy Added to Share with External Account
- AWS S3 Bucket Replicated to Another Account