Skip to content
Threat Feed
low advisory

AWS Account Discovery By Rare User

Detects the first-time enumeration of AWS Organizations or IAM accounts by a user, potentially indicating reconnaissance by compromised credentials.

This detection identifies when a user performs AWS Organizations or IAM account enumeration API calls for the first time within a defined lookback window. Attackers who have compromised credentials often map out an organization's structure, including accounts, organizational units (OUs), roots, and delegated administrators, as well as account-level metadata like aliases, using the AWS CLI or SDKs. This activity is detected via a New Terms rule, focusing on rare occurrences of a cloud.account.id and user.name pair associated with these enumeration actions. The rule aims to highlight potentially malicious reconnaissance activities within an AWS environment by identifying unusual account discovery patterns. This detection is relevant for AWS environments and relies on CloudTrail logs.

Attack Chain

  1. An attacker gains unauthorized access to AWS credentials through methods such as phishing or credential stuffing.
  2. The attacker uses the compromised credentials to authenticate to the AWS environment, likely through the AWS CLI or SDK.
  3. The attacker executes AWS CLI commands or SDK calls to enumerate the organization structure, starting with DescribeOrganization or ListAccounts.
  4. The attacker may then proceed to enumerate Organizational Units using ListOrganizationalUnitsForParent.
  5. The attacker gathers account-level information, such as aliases, using ListAccountAliases or GetAccountSummary.
  6. The attacker reviews IAM policies and roles using actions such as ListPolicies.
  7. The attacker analyzes the gathered information to identify potential targets or weaknesses within the AWS environment.

Impact

A successful AWS account discovery can lead to significant breaches. Attackers can identify critical assets, privilege escalation paths, and potential vulnerabilities within the AWS environment. This information can be used to move laterally, exfiltrate sensitive data, or deploy malicious infrastructure. The impact is amplified in multi-account environments, where attackers can map out the entire organization structure.

Recommendation

  • Deploy the Sigma rule AWS Account Discovery By Rare User to your SIEM and tune the threshold and lookback window for your environment.
  • Review the investigation guide linked in the rule's note section, especially the "Possible investigation steps" which details important fields to investigate.
  • Filter out known good user.name and cloud.account.id pairs by adding exceptions to the Sigma rule.
  • Monitor CloudTrail logs for unusual API calls related to account enumeration, focusing on the actions listed in the rule query.
  • Enforce the principle of least privilege for IAM roles and policies to limit the scope of potential damage from compromised credentials.

Detection coverage 2

AWS Account Discovery By Rare User

low

Detects AWS Organization and IAM account enumeration API calls from a rare user.

sigma tactics: discovery techniques: T1087.004, T1580 sources: cloudtrail, aws

AWS Account Discovery via IAM and Organizations - Filtered

low

Detects AWS account enumeration via IAM or Organizations, excluding AWSService and console access.

sigma tactics: discovery techniques: T1087.004 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →