AWS CLI Command with Custom Endpoint URL

Detects the use of the AWS CLI with the --endpoint-url argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/21"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
11"""
12from = "now-9m"
13index = ["logs-endpoint.events.process-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "AWS CLI Command with Custom Endpoint URL"
17references = [
18    "https://sysdig.com/blog/scarleteel-2-0/"
19]
20risk_score = 47
21rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce"
22severity = "medium"
23tags = [
24    "Data Source: Elastic Defend",
25    "Domain: Endpoint",
26    "OS: Linux",
27    "Use Case: Threat Detection",
28    "Tactic: Command and Control",
29    "Resources: Investigation Guide",
30]
31type = "new_terms"
32timestamp_override = "event.ingested"
33query = '''
34host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"
35'''
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating AWS CLI Command with Custom Endpoint URL
42
43The AWS CLI allows users to interact with AWS services via command-line, offering flexibility in managing cloud resources. The `--endpoint-url` option lets users specify alternative endpoints, which can be exploited by adversaries to reroute requests to malicious servers, bypassing security controls. The detection rule identifies such misuse by monitoring for the `--endpoint-url` argument in process logs, flagging potential unauthorized activities.
44
45### Possible investigation steps
46
47- Review the process logs to identify the specific command line that triggered the alert, focusing on the presence of the --endpoint-url argument.
48- Investigate the custom endpoint URL specified in the command to determine if it is a known malicious or unauthorized domain.
49- Check the user account associated with the process to assess if it has a history of suspicious activity or if it has been compromised.
50- Analyze network logs to trace any outbound connections to the custom endpoint URL and evaluate the data being transmitted.
51- Correlate the event with other security alerts or logs to identify any patterns or additional indicators of compromise related to the same user or endpoint.
52- Verify if the AWS credentials used in the command have been exposed or misused in other contexts, potentially indicating credential theft or abuse.
53
54### False positive analysis
55
56- Internal testing environments may use custom endpoint URLs for development purposes. To manage this, create exceptions for known internal IP addresses or domain names associated with these environments.
57- Organizations using AWS CLI with custom endpoints for legitimate third-party integrations might trigger this rule. Identify and whitelist these specific integrations by their endpoint URLs to prevent false positives.
58- Automated scripts or tools that interact with AWS services through custom endpoints for monitoring or backup purposes can be flagged. Review and document these scripts, then exclude them from detection by process name or specific endpoint URL.
59- Some organizations may use proxy servers that require custom endpoint URLs for AWS CLI operations. Verify these configurations and exclude the associated endpoint URLs from the detection rule.
60
61### Response and remediation
62
63- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
64- Review process logs and network traffic to identify any data that may have been redirected to unauthorized endpoints and assess the extent of potential data exposure.
65- Revoke any AWS credentials or access keys used on the affected system to prevent further misuse and rotate them with new credentials.
66- Conduct a thorough investigation to determine if any other systems have been compromised or if similar unauthorized endpoint usage has occurred elsewhere in the network.
67- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional containment or remediation actions are necessary.
68- Implement network-level controls to block known malicious endpoints and enhance monitoring for unusual AWS CLI usage patterns across the environment.
69- Update security policies and endpoint protection configurations to detect and alert on the use of custom endpoint URLs in AWS CLI commands, ensuring rapid response to future incidents."""
70
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1102"
76name = "Web Service"
77reference = "https://attack.mitre.org/techniques/T1102/"
78
79
80[rule.threat.tactic]
81id = "TA0011"
82name = "Command and Control"
83reference = "https://attack.mitre.org/tactics/TA0011/"
84
85
86[rule.new_terms]
87field = "new_terms_fields"
88value = ["user.name"]
89[[rule.new_terms.history_window_start]]
90field = "history_window_start"
91value = "now-10d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS CLI Command with Custom Endpoint URL

The AWS CLI allows users to interact with AWS services via command-line, offering flexibility in managing cloud resources. The --endpoint-url option lets users specify alternative endpoints, which can be exploited by adversaries to reroute requests to malicious servers, bypassing security controls. The detection rule identifies such misuse by monitoring for the --endpoint-url argument in process logs, flagging potential unauthorized activities.

Possible investigation steps

  • Review the process logs to identify the specific command line that triggered the alert, focusing on the presence of the --endpoint-url argument.
  • Investigate the custom endpoint URL specified in the command to determine if it is a known malicious or unauthorized domain.
  • Check the user account associated with the process to assess if it has a history of suspicious activity or if it has been compromised.
  • Analyze network logs to trace any outbound connections to the custom endpoint URL and evaluate the data being transmitted.
  • Correlate the event with other security alerts or logs to identify any patterns or additional indicators of compromise related to the same user or endpoint.
  • Verify if the AWS credentials used in the command have been exposed or misused in other contexts, potentially indicating credential theft or abuse.

False positive analysis

  • Internal testing environments may use custom endpoint URLs for development purposes. To manage this, create exceptions for known internal IP addresses or domain names associated with these environments.
  • Organizations using AWS CLI with custom endpoints for legitimate third-party integrations might trigger this rule. Identify and whitelist these specific integrations by their endpoint URLs to prevent false positives.
  • Automated scripts or tools that interact with AWS services through custom endpoints for monitoring or backup purposes can be flagged. Review and document these scripts, then exclude them from detection by process name or specific endpoint URL.
  • Some organizations may use proxy servers that require custom endpoint URLs for AWS CLI operations. Verify these configurations and exclude the associated endpoint URLs from the detection rule.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Review process logs and network traffic to identify any data that may have been redirected to unauthorized endpoints and assess the extent of potential data exposure.
  • Revoke any AWS credentials or access keys used on the affected system to prevent further misuse and rotate them with new credentials.
  • Conduct a thorough investigation to determine if any other systems have been compromised or if similar unauthorized endpoint usage has occurred elsewhere in the network.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional containment or remediation actions are necessary.
  • Implement network-level controls to block known malicious endpoints and enhance monitoring for unusual AWS CLI usage patterns across the environment.
  • Update security policies and endpoint protection configurations to detect and alert on the use of custom endpoint URLs in AWS CLI commands, ensuring rapid response to future incidents.

References

Related rules

to-top