Account Enumeration on AWS

Apr 21, 2023 · attack.discovery attack.t1592 ·

Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.

Sigma rule (View on GitHub)

 1title: Account Enumeration on AWS
 2id: e9c14b23-47e2-4a8b-8a63-d36618e33d70
 3status: unsupported
 4description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
 5author: toffeebr33k
 6date: 2020/11/21
 7modified: 2023/03/24
 8tags:
 9    - attack.discovery
10    - attack.t1592
11logsource:
12    product: aws
13    service: cloudtrail
14detection:
15    selection_eventname:
16        eventName: list*
17    timeframe: 10m
18    condition: selection_eventname | count() > 50
19fields:
20    - userIdentity.arn
21falsepositives:
22    - AWS Config or other configuration scanning activities
23level: low

Related rules

Enumeration via the Global Catalog
Network Scans Count By Destination IP
Network Scans Count By Destination Port
Potential Backup Enumeration on AWS
Potential Network Enumeration on AWS