AWS Account Discovery By Rare User
Detects the first-time enumeration of AWS Organizations or IAM accounts by a user, potentially indicating reconnaissance by compromised credentials.
This detection identifies when a user performs AWS Organizations or IAM account enumeration API calls for the first time within a defined lookback window. Attackers who have compromised credentials often map out an organization's structure, including accounts, organizational units (OUs), roots, and delegated administrators, as well as account-level metadata like aliases, using the AWS CLI or SDKs. This activity is detected via a New Terms rule, focusing on rare occurrences of a cloud.account.id and user.name pair associated with these enumeration actions. The rule aims to highlight potentially malicious reconnaissance activities within an AWS environment by identifying unusual account discovery patterns. This detection is relevant for AWS environments and relies on CloudTrail logs.
Attack Chain
- An attacker gains unauthorized access to AWS credentials through methods such as phishing or credential stuffing.
- The attacker uses the compromised credentials to authenticate to the AWS environment, likely through the AWS CLI or SDK.
- The attacker executes AWS CLI commands or SDK calls to enumerate the organization structure, starting with
DescribeOrganizationorListAccounts. - The attacker may then proceed to enumerate Organizational Units using
ListOrganizationalUnitsForParent. - The attacker gathers account-level information, such as aliases, using
ListAccountAliasesorGetAccountSummary. - The attacker reviews IAM policies and roles using actions such as
ListPolicies. - The attacker analyzes the gathered information to identify potential targets or weaknesses within the AWS environment.
Impact
A successful AWS account discovery can lead to significant breaches. Attackers can identify critical assets, privilege escalation paths, and potential vulnerabilities within the AWS environment. This information can be used to move laterally, exfiltrate sensitive data, or deploy malicious infrastructure. The impact is amplified in multi-account environments, where attackers can map out the entire organization structure.
Recommendation
- Deploy the Sigma rule
AWS Account Discovery By Rare Userto your SIEM and tune the threshold and lookback window for your environment. - Review the investigation guide linked in the rule's note section, especially the "Possible investigation steps" which details important fields to investigate.
- Filter out known good
user.nameandcloud.account.idpairs by adding exceptions to the Sigma rule. - Monitor CloudTrail logs for unusual API calls related to account enumeration, focusing on the actions listed in the rule query.
- Enforce the principle of least privilege for IAM roles and policies to limit the scope of potential damage from compromised credentials.
Detection coverage 2
AWS Account Discovery By Rare User
lowDetects AWS Organization and IAM account enumeration API calls from a rare user.
AWS Account Discovery via IAM and Organizations - Filtered
lowDetects AWS account enumeration via IAM or Organizations, excluding AWSService and console access.
Detection queries are available on the platform. Get full rules →