AWS Discovery API Calls via CLI from a Single Resource

Last updated a month ago on 2024-11-07
Created 2 months ago on 2024-11-04

About

Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.
Tags
Domain: CloudData Source: AWSData Source: AWS EC2Data Source: AWS IAMData Source: AWS S3Use Case: Threat DetectionTactic: Discovery
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

False Positive Examples
Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(opens in a new tab or window)

Query
from logs-aws.cloudtrail*

// create time window buckets of 10 seconds
| eval time_window = date_trunc(10 seconds, @timestamp)
| where
    event.dataset == "aws.cloudtrail"

    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
    and event.provider in (
      "iam.amazonaws.com",
      "ec2.amazonaws.com",
      "s3.amazonaws.com",
      "rds.amazonaws.com",
      "lambda.amazonaws.com",
      "dynamodb.amazonaws.com",
      "kms.amazonaws.com",
      "cloudfront.amazonaws.com",
      "elasticloadbalancing.amazonaws.com",
      "cloudfront.amazonaws.com"
    )

    // ignore AWS service actions
    and aws.cloudtrail.user_identity.type != "AWSService"

    // filter for aws-cli specifically
    and user_agent.name == "aws-cli"

    // exclude DescribeCapacityReservations events related to AWS Config
    and not event.action in ("DescribeCapacityReservations")

// filter for Describe, Get, List, and Generate API calls
| where true in (
    starts_with(event.action, "Describe"),
    starts_with(event.action, "Get"),
    starts_with(event.action, "List"),
    starts_with(event.action, "Generate")
)
// extract owner, identity type, and actor from the ARN
| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
| where starts_with(actor, "AWSServiceRoleForConfig") != true
| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
| stats
    // count the number of unique API calls per time window and actor
    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn

// filter for more than 5 unique API calls per time window
| where unique_api_count > 5

// sort the results by the number of unique API calls in descending order
| sort unique_api_count desc

Install detection rules in Elastic Security

Detect AWS Discovery API Calls via CLI from a Single Resource in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).