AWS CLI Command with Custom Endpoint URL

Last updated 7 months ago on 2025-01-15

Created a year ago on 2024-08-21

About

Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.

Tags

Data Source: Elastic DefendDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Command and ControlLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Web Service (T1102)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process-*
Related Integrations: endpoint(opens in a new tab or window)
Query

host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"

Install detection rules in Elastic Security

Detect AWS CLI Command with Custom Endpoint URL in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).