AWS Discovery API Calls via CLI from a Single Resource

  1[metadata]
  2creation_date = "2024/11/04"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
  6min_stack_version = "9.2.0"
  7updated_date = "2026/04/10"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when a single AWS resource is running multiple read-only, discovery API calls in a 10-second window. This
 13behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
 14compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
 15gain a better understanding of the target's infrastructure.
 16"""
 17false_positives = [
 18    """
 19    Administrators or automated systems may legitimately perform multiple `Describe`, `List`, `Get` and `Generate` API
 20    calls in a short time frame. Verify the user identity and the purpose of the API calls to determine if the behavior
 21    is expected.
 22    """,
 23]
 24from = "now-6m"
 25language = "esql"
 26license = "Elastic License v2"
 27name = "AWS Discovery API Calls via CLI from a Single Resource"
 28note = """## Triage and analysis
 29
 30### Investigating AWS Discovery API Calls via CLI from a Single Resource
 31
 32This rule detects when a single AWS identity executes more than five unique discovery-related API calls (`Describe*`, `List*`, `Get*`, or `Generate*`) within a 10-second window using the AWS CLI.  
 33High volumes of diverse “read-only” API calls in such a short period can indicate scripted reconnaissance, often an early phase of compromise after credential exposure or access to a compromised EC2 instance.  
 34
 35### Possible investigation steps
 36
 37**Identify the actor and session context**
 38- **Actor ARN (`aws.cloudtrail.user_identity.arn`)**: Determine which IAM user, role, or service principal performed the actions.  
 39  - Check whether this identity normally performs enumeration activity or belongs to automation infrastructure.  
 40- **Identity type (`Esql.aws_cloudtrail_user_identity_arn_type`)**: Validate if the caller is a human IAM user, assumed role, or federated identity. Unusual types (e.g., temporary credentials from an unfamiliar role) may indicate lateral movement.  
 41- **Access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`)** – Identify which specific access key or temporary credential was used.  
 42  - If multiple suspicious keys are found, use AWS IAM console or `aws iam list-access-keys` to determine when they were last used or rotated.  
 43- **Account (`Esql.cloud_account_id_values`)** – Confirm which AWS account was affected and whether it matches the intended operational context (e.g., production vs. sandbox).
 44
 45**Assess the API call pattern and intent**
 46- **Distinct action count (`Esql.event_action_count_distinct`)**: Note how many unique API calls occurred within each 10-second window. Counts far above normal operational baselines may indicate scripted reconnaissance.  
 47- **API actions (`Esql.event_action_values`)**: Review which discovery APIs were invoked.  
 48  - Focus on services such as EC2 (`DescribeInstances`), IAM (`ListRoles`, `ListAccessKeys`), S3 (`ListBuckets`), and KMS (`ListKeys`), which adversaries frequently query to map assets.  
 49- **Service providers (`Esql.event_provider_values`)**: Identify which AWS services were targeted.  
 50  - Multi-service enumeration (IAM + EC2 + S3) suggests broad discovery rather than a specific diagnostic task.  
 51- **Time window (`Esql.time_window_date_trunc`)**: Verify whether activity occurred during normal maintenance windows or outside expected hours.
 52
 53**Analyze the source and origin**
 54- **Source IP (`Esql.source_ip_values`)**: Check the originating IPs to determine whether the calls came from a known internal host, an EC2 instance, or an unfamiliar external network.  
 55  - Compare with known corporate CIDR ranges, VPC flow logs, or guardrail baselines.  
 56- **Source organization (`Esql.source_as_organization_name_values`)**: Review the associated ASN or organization.  
 57  - If the ASN belongs to a commercial ISP or VPN service, investigate possible credential compromise or remote attacker usage.
 58
 59**Correlate with additional events**
 60- Search CloudTrail for the same `aws.cloudtrail.user_identity.arn` or `aws_cloudtrail_user_identity_access_key_id_values` within ±30 minutes.  
 61  - Look for follow-on actions such as `GetCallerIdentity`, `AssumeRole`, `CreateAccessKey`, or data access (`GetObject`, `CopySnapshot`).  
 62  - Correlate this enumeration with authentication anomalies or privilege-related findings.  
 63- Cross-reference `Esql.cloud_account_id_values` with other alerts for lateral or privilege escalation patterns.
 64
 65### False positive analysis
 66
 67Legitimate, high-frequency API activity may originate from:
 68- **Inventory or compliance automation**: Scripts or tools such as AWS Config, Cloud Custodian, or custom CMDB collection performing periodic Describe/List calls.  
 69- **Operational monitoring systems**: DevOps pipelines, Terraform, or deployment verifiers enumerating resources.  
 70- **Security tooling**: Security scanners performing asset discovery across services.
 71
 72Validate by confirming:
 73- Whether the `aws.cloudtrail.user_identity.arn` corresponds to a documented automation or monitoring identity.  
 74- That the observed `Esql.event_action_values` match known inventory or cost-reporting workflows.  
 75- Timing alignment with approved maintenance schedules.
 76
 77### Response and remediation
 78
 79If the activity is unexpected or originates from unrecognized credentials, follow AWS’s incident-handling guidance:
 80
 81**Contain**
 82- Temporarily disable or rotate the access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`) using IAM.  
 83- Restrict outbound connectivity for the instance or resource from which the API calls originated.
 84
 85**Investigate**
 86- Retrieve full CloudTrail logs for the actor and `Esql.time_window_date_trunc` interval.  
 87- Identify any subsequent write or privilege-modification actions.  
 88- Review associated IAM policies for excessive permissions.
 89
 90**Recover and Harden**
 91- Rotate credentials, enforce MFA on human users, and tighten IAM role trust policies.  
 92- Implement AWS Config rules or SCPs to monitor and restrict large-scale enumeration.
 93
 94**Post-Incident Actions**
 95- Document the finding and response in your organization’s IR management system.  
 96- Update detection logic or allow-lists for known benign automation.  
 97- Validate recovery by confirming no new suspicious discovery bursts occur.
 98
 99### Additional information
100
101- **AWS Documentation**
102  - [CloudTrail Event Reference](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html)
103  - [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf)
104- **AWS Playbook Resources**
105  - [AWS Incident Response Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/tree/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks)
106  - [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework)
107
108"""
109references = [
110    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/",
111    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
112]
113risk_score = 21
114rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd"
115severity = "low"
116tags = [
117    "Domain: Cloud",
118    "Data Source: AWS",
119    "Data Source: AWS EC2",
120    "Data Source: AWS IAM",
121    "Data Source: AWS S3",
122    "Data Source: AWS Cloudtrail",
123    "Data Source: AWS RDS",
124    "Data Source: AWS Lambda",
125    "Data Source: AWS STS",
126    "Data Source: AWS KMS",
127    "Data Source: AWS SES",
128    "Data Source: AWS Cloudfront",
129    "Data Source: AWS DynamoDB",
130    "Data Source: AWS Elastic Load Balancing",
131    "Data Source: AWS Organizations",
132    "Use Case: Threat Detection",
133    "Tactic: Discovery",
134    "Resources: Investigation Guide",
135]
136timestamp_override = "event.ingested"
137type = "esql"
138
139query = '''
140from logs-aws.cloudtrail-* metadata _id, _version, _index
141// create time window buckets of 10 seconds
142| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)
143
144| where
145    data_stream.dataset == "aws.cloudtrail"
146    
147    // exclude service account and console behavior
148    and source.ip IS NOT NULL
149    and aws.cloudtrail.session_credential_from_console IS NULL
150    and event.provider in (
151      "iam.amazonaws.com",
152      "ec2.amazonaws.com",
153      "s3.amazonaws.com",
154      "rds.amazonaws.com",
155      "lambda.amazonaws.com",
156      "dynamodb.amazonaws.com",
157      "kms.amazonaws.com",
158      "cloudfront.amazonaws.com",
159      "elasticloadbalancing.amazonaws.com", 
160      "cloudtrail.amazonaws.com",
161      "sts.amazonaws.com",
162      "ses.amazonaws.com",
163      "organizations.amazonaws.com"
164    )
165    // ignore AWS service actions
166    and aws.cloudtrail.user_identity.type != "AWSService"
167    // filter for aws-cli specifically
168    and user_agent.name == "aws-cli"
169    // exclude DescribeCapacityReservations events related to AWS Config
170    and event.action != "DescribeCapacityReservations"
171    and user.name != "AWSServiceRoleForConfig"
172
173// filter for Describe, Get, List, and Generate API calls
174| where true in (
175    starts_with(event.action, "Describe"),
176    starts_with(event.action, "Get"),
177    starts_with(event.action, "List"),
178    starts_with(event.action, "Generate")
179)
180
181// keep relevant fields (preserving ECS fields and computed time window)
182| keep 
183    @timestamp, 
184    Esql.time_window_date_trunc, 
185    event.action, 
186    aws.cloudtrail.user_identity.arn, 
187    aws.cloudtrail.user_identity.type, 
188    aws.cloudtrail.user_identity.access_key_id, 
189    source.ip, 
190    cloud.account.id, 
191    event.provider, 
192    user_agent.name, 
193    source.as.organization.name, 
194    cloud.region,
195    data_stream.namespace
196
197// count the number of unique API calls per time window and actor
198| stats
199    Esql.event_action_count_distinct = count_distinct(event.action),
200    Esql.event_action_values = VALUES(event.action),
201    Esql.event_timestamp_values = VALUES(@timestamp),
202    Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),
203    Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),
204    Esql.source_ip_values = VALUES(source.ip),
205    Esql.cloud_account_id_values = VALUES(cloud.account.id),
206    Esql.event_provider_values = VALUES(event.provider),
207    Esql.user_agent_name_values = VALUES(user_agent.name),
208    Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
209    Esql.cloud_region_values = VALUES(cloud.region),
210    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
211  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
212
213// filter for more than 5 unique API calls per 10s window
214| where Esql.event_action_count_distinct > 5
215'''
216
217
218[[rule.threat]]
219framework = "MITRE ATT&CK"
220[[rule.threat.technique]]
221id = "T1087"
222name = "Account Discovery"
223reference = "https://attack.mitre.org/techniques/T1087/"
224[[rule.threat.technique.subtechnique]]
225id = "T1087.004"
226name = "Cloud Account"
227reference = "https://attack.mitre.org/techniques/T1087/004/"
228
229
230[[rule.threat.technique]]
231id = "T1526"
232name = "Cloud Service Discovery"
233reference = "https://attack.mitre.org/techniques/T1526/"
234
235[[rule.threat.technique]]
236id = "T1580"
237name = "Cloud Infrastructure Discovery"
238reference = "https://attack.mitre.org/techniques/T1580/"
239
240
241[rule.threat.tactic]
242id = "TA0007"
243name = "Discovery"
244reference = "https://attack.mitre.org/tactics/TA0007/"
245
246[rule.investigation_fields]
247field_names = [
248    "Esql.event_action_count_distinct",
249    "Esql.time_window_date_trunc",
250    "aws.cloudtrail.user_identity.arn",
251    "Esql.aws_cloudtrail_user_identity_type_values",
252    "Esql.aws_cloudtrail_user_identity_access_key_id_values",
253    "Esql.source_ip_values",
254    "Esql.source_as_organization_name_values",
255    "Esql.event_provider_values",
256    "Esql.event_action_values",
257    "Esql.cloud_account_id_values",
258    "Esql.cloud_region_values",
259    "Esql.data_stream_namespace_values",
260]