Potential Network Enumeration on AWS

Apr 21, 2023 · attack.discovery attack.t1016 ·

Detects network enumeration performed on AWS.

Sigma rule (View on GitHub)

 1title: Potential Network Enumeration on AWS
 2id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
 3status: unsupported
 4description: Detects network enumeration performed on AWS.
 5references:
 6    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 7author: Janantha Marasinghe
 8date: 2022/12/13
 9modified: 2023/03/24
10tags:
11    - attack.discovery
12    - attack.t1016
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'ec2.amazonaws.com'
19        eventName:
20            - 'DescribeCarrierGateways'
21            - 'DescribeVpcEndpointConnectionNotifications'
22            - 'DescribeTransitGatewayMulticastDomains'
23            - 'DescribeClientVpnRoutes'
24            - 'DescribeDhcpOptions'
25            - 'GetTransitGatewayRouteTableAssociations'
26    timeframe: 10m
27    condition: selection | count() > 5
28falsepositives:
29    - Unknown
30level: low

References

Compromised Cloud Compute Credentials: Case Studies From the Wild

A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.

Read More

Potential Network Enumeration on AWS

Sigma rule (View on GitHub)

References

Compromised Cloud Compute Credentials: Case Studies From the Wild

Related rules