AWS Excessive Security Scanning Detection
Detection of excessive AWS API calls indicative of reconnaissance by an attacker attempting to map an AWS environment.
This threat brief outlines a detection strategy for identifying excessive security scanning activities within an AWS environment. Attackers often perform reconnaissance to map out the environment before launching further attacks. The detection focuses on monitoring AWS CloudTrail logs for a high volume of "Describe," "List," or "Get" API calls originating from a single user. This behavior, when exceeding a defined threshold, can indicate malicious reconnaissance. Specifically, this activity can be indicative of an attacker attempting to enumerate resources, identify potential vulnerabilities, and plan subsequent exploitation. The detection relies on analyzing CloudTrail logs for distinct event names related to these API calls and flagging users exceeding a count of 50.
Attack Chain
- The attacker gains initial access to an AWS environment, possibly through compromised credentials or a misconfigured IAM role.
- The attacker begins enumerating AWS resources using "Describe," "List," and "Get" API calls, such as
DescribeInstances,ListBuckets, orGetSecurityGroups. - These API calls are recorded in AWS CloudTrail logs, capturing the event name, user identity, source IP, and other relevant details.
- The attacker iterates through different AWS services, querying for information about EC2 instances, S3 buckets, IAM roles, security groups, and other resources.
- The attacker aggregates the information gathered to build a comprehensive understanding of the AWS environment's architecture, security posture, and potential attack vectors.
- The attacker uses the gathered information to identify vulnerable resources, misconfigurations, or exposed data.
- Based on the reconnaissance, the attacker plans and executes further attacks, such as exploiting vulnerable EC2 instances, accessing sensitive data in S3 buckets, or escalating privileges through compromised IAM roles.
- The final objective may include data exfiltration, denial-of-service attacks, or deployment of malware within the AWS environment.
Impact
Successful reconnaissance allows attackers to gain a detailed understanding of an AWS environment, significantly increasing their chances of successful exploitation. This can lead to unauthorized access to sensitive data, data exfiltration, service disruption, or complete compromise of the cloud infrastructure. Detecting and preventing excessive security scanning is crucial to mitigating these risks. This activity is especially dangerous if an attacker is able to scan and discover keys or access to other services.
Recommendation
- Deploy the provided Sigma rule
AWS Excessive Security Scanningto your SIEM and tune the threshold (currently set to 50 distinct events) based on your organization's baseline activity. - Investigate any alerts generated by the Sigma rule to determine the legitimacy of the detected scanning activity by reviewing associated source IPs from CloudTrail logs.
- Enable and review AWS CloudTrail logs across all regions and accounts to ensure comprehensive visibility into API activity, which is the data source for the provided Sigma rule.
- Implement anomaly detection on API call patterns to identify unusual reconnaissance activities.
Detection coverage 2
AWS Excessive Security Scanning
mediumDetects a single user performing an excessive number of Describe, List, or Get API calls in AWS, indicative of reconnaissance.
AWS Excessive Security Scanning with Specific Event Names
mediumDetects excessive Describe, List, or Get API calls in AWS with a focus on specific event names often used for reconnaissance.
Detection queries are available on the platform. Get full rules →