AWS Service Quotas Multi-Region GetServiceQuota
Requests
Identifies when a single AWS resource is making GetServiceQuota
API calls for the EC2 service quota L-1216C47A in more
than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by
adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to
discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/26"
3maturity = "production"
4updated_date = "2024/10/02"
5
6[rule]
7author = ["Elastic"]
8description = """
9Identifies when a single AWS resource is making `GetServiceQuota` API calls for the EC2 service quota L-1216C47A in more
10than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by
11adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to
12discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "AWS Service Quotas Multi-Region `GetServiceQuota` Requests"
18references = [
19 "https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/",
20 "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html",
21]
22risk_score = 21
23rule_id = "19be0164-63d2-11ef-8e38-f661ea17fbce"
24severity = "low"
25tags = [
26 "Domain: Cloud",
27 "Data Source: AWS",
28 "Data Source: Amazon Web Services",
29 "Data Source: AWS Service Quotas",
30 "Use Case: Threat Detection",
31 "Tactic: Discovery",
32]
33timestamp_override = "event.ingested"
34type = "esql"
35
36query = '''
37from logs-aws.cloudtrail-*
38
39// filter for GetServiceQuota API calls
40| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
41
42// truncate the timestamp to a 30-second window
43| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
44
45// pre-process the request parameters to extract the service code and quota code
46| dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}"
47
48// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
49| where service_code == "ec2" and quota_code == "L-1216C47A"
50
51// count the number of unique regions and total API calls within the 30-second window
52| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
53
54// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
55| where region_count >= 10 and window_count >= 10
56
57// sort the results by time windows in descending order
58| sort target_time_window desc
59'''
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1580"
65name = "Cloud Infrastructure Discovery"
66reference = "https://attack.mitre.org/techniques/T1580/"
67
68
69[rule.threat.tactic]
70id = "TA0007"
71name = "Discovery"
72reference = "https://attack.mitre.org/tactics/TA0007/"
References
Related rules
- AWS STS GetCallerIdentity API Called for the First Time
- AWS EC2 Multi-Region DescribeInstances API Calls
- First Occurrence of STS GetFederationToken Request by User
- AWS Signin Single Factor Console Login with Federated User
- AWS S3 Object Versioning Suspended