AWS Account Discovery By Rare User

  1[metadata]
  2creation_date = "2026/04/01"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6min_stack_version = "9.2.0"
  7min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the first time, within a lookback window, an identity performs AWS Organizations or IAM account enumeration
 13APIs. Attackers with compromised credentials often map the organization (accounts, OUs, roots, delegated admins) and
 14account-level metadata (aliases, summary) using the AWS CLI or SDKs. This is a New Terms rule detecting a rare
 15occurrence of the `cloud.account.id` and `user.name` pair for these actions.
 16"""
 17false_positives = [
 18    """
 19    Organization and security administrators, billing tooling, landing-zone automation, and delegated administrator
 20    workflows may call these APIs legitimately. Interactive or one-off use from unusual principals warrants review.
 21    """,
 22]
 23from = "now-6m"
 24index = ["logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS Account Discovery By Rare User"
 28note = """## Triage and analysis
 29
 30### Investigating AWS Account Discovery By Rare User
 31
 32AWS Organizations and IAM expose read APIs that reveal organization structure, member accounts, delegation, and
 33account-level aliases. Threat actors and tools such as Pacu (`organizations__enum`) chain these calls to understand
 34multi-account layout after credential access.
 35
 36This rule uses [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) to detect when an identity makes a discovery API call that has not been seen in the configured history window.
 37
 38### Possible investigation steps
 39
 40**Identify the actor and session context**
 41- Confirm who `user.name` and `aws.cloudtrail.user_identity.arn` represent (human, workload role, automation).
 42
 43**Analyze the source and origin**
 44- Review source.ip, geolocation, and whether the call aligns with normal egress for that principal.
 45- Inspect user_agent.original for CLI, Boto3/Botocore, consoles, or unfamiliar tooling.
 46
 47**Correlate with additional events**
 48- Correlate with STS*(`GetCallerIdentity`, `AssumeRole`) and broader discovery or privilege changes in the same session.
 49- If the principal is new or rarely used, review IAM policies and recent key rotation.
 50
 51### False positive analysis
 52
 53- Documented org-admin or security roles in the management account; add exceptions by ARN if needed.
 54- Centralized compliance or CSPM that enumerates org structure on a schedule.
 55
 56### Response and remediation
 57
 58- If unexpected, rotate credentials for the implicated principal, review CloudTrail for follow-on API activity, and
 59  tighten least privilege on Organizations/IAM read APIs where appropriate.
 60
 61### Additional information
 62
 63- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks)**
 64"""
 65references = [
 66    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
 67    "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/organizations__enum/main.py",
 68]
 69risk_score = 21
 70rule_id = "444c8fad-874f-4f59-b0ea-cf26cea478bd"
 71severity = "low"
 72tags = [
 73    "Domain: Cloud",
 74    "Domain: Identity",
 75    "Data Source: AWS",
 76    "Data Source: Amazon Web Services",
 77    "Data Source: AWS CloudTrail",
 78    "Data Source: AWS Organizations",
 79    "Data Source: AWS IAM",
 80    "Use Case: Threat Detection",
 81    "Tactic: Discovery",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "new_terms"
 86
 87query = '''
 88data_stream.dataset: "aws.cloudtrail"
 89    and event.outcome: "success"
 90    and source.ip:*
 91    and not aws.cloudtrail.session_credential_from_console: "true"
 92    and not aws.cloudtrail.user_identity.type: "AWSService"
 93    and (
 94        (
 95            event.provider: "organizations.amazonaws.com"
 96            and event.action: (
 97                "DescribeOrganization" or "DescribeOrgnanizationalUnit" or "ListAccounts" or "ListRoots"
 98                or "ListOrganizationalUnitsForParent" or "ListAccountsForParent" or "ListPolicies"
 99                or "ListAWSServiceAccessForOrganization" or "ListDelegatedAdministrators"
100                or "ListDelegatedServicesForAccount" or "DescribeResourcePolicy"
101            )
102        )
103        or (
104            event.provider: "iam.amazonaws.com"
105            and event.action: ("ListAccountAliases" or "GetAccountSummary")
106        )
107    )
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1087"
115name = "Account Discovery"
116reference = "https://attack.mitre.org/techniques/T1087/"
117[[rule.threat.technique.subtechnique]]
118id = "T1087.004"
119name = "Cloud Account"
120reference = "https://attack.mitre.org/techniques/T1087/004/"
121
122
123[[rule.threat.technique]]
124id = "T1580"
125name = "Cloud Infrastructure Discovery"
126reference = "https://attack.mitre.org/techniques/T1580/"
127
128
129[rule.threat.tactic]
130id = "TA0007"
131name = "Discovery"
132reference = "https://attack.mitre.org/tactics/TA0007/"
133
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "user.name",
138    "user_agent.original",
139    "source.ip",
140    "aws.cloudtrail.user_identity.arn",
141    "aws.cloudtrail.user_identity.type",
142    "aws.cloudtrail.user_identity.access_key_id",
143    "event.action",
144    "event.outcome",
145    "event.provider",
146    "cloud.account.id",
147    "cloud.region",
148]
149
150[rule.new_terms]
151field = "new_terms_fields"
152value = ["cloud.account.id", "user.name"]
153[[rule.new_terms.history_window_start]]
154field = "history_window_start"
155value = "now-10d"