-
Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their own data. This technique is a critical early signal of destructive intent or cross-account misuse.
Read More -
Identifies attempts to disable or schedule the deletion of an AWS customer managed KMS Key. Disabling or scheduling a KMS key for deletion removes the ability to decrypt data encrypted under that key and can permanently destroy access to critical resources. Adversaries may use these operations to cause irreversible data loss, disrupt business operations, impede incident response, or hide evidence of prior activity. Because KMS keys often protect sensitive or regulated data, any modification to their lifecycle should be considered highly sensitive and investigated promptly.
Read More -
AWS Discovery API Calls via CLI from a Single Resource
Dec 8, 2025 · Domain: Cloud Data Source: AWS Data Source: AWS EC2 Data Source: AWS IAM Data Source: AWS S3 Data Source: AWS Cloudtrail Data Source: AWS RDS Data Source: AWS Lambda Data Source: AWS STS Data Source: AWS KMS Data Source: AWS SES Data Source: AWS Cloudfront Data Source: AWS DynamoDB Data Source: AWS Elastic Load Balancing Use Case: Threat Detection Tactic: Discovery Resources: Investigation Guide ·Detects when a single AWS resource is running multiple read-only, discovery API calls in a 10-second window. This behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
Read More