AWS Discovery API Calls from VPN ASN by New Identity

This detection identifies the first-time occurrence of an IAM principal invoking discovery APIs from a source IP address associated with a known VPN autonomous system number (ASN). The rule focuses on high-signal discovery actions, such as credential checks, account enumeration, bucket inventory, compute inventory, and logging introspection within AWS CloudTrail logs. The goal is to detect potential reconnaissance activities originating from anonymizing networks, which may indicate malicious intent. The rule specifically omits broad List* and Describe* patterns to reduce false positives, focusing instead on a curated list of ASNs commonly associated with VPN providers and hosting services. It’s important to validate ASN data using local intelligence and tailor the event.action list based on your environment’s baseline. Hosting ASNs are dual-use and require careful monitoring.

Attack Chain

1. An attacker gains unauthorized access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.
2. The attacker initiates a VPN connection to mask their origin and evade geographic restrictions or monitoring. The VPN endpoint’s ASN belongs to a known VPN provider.
3. Using the compromised credentials and VPN connection, the attacker calls the AWS API to execute GetCallerIdentity to validate access.
4. The attacker enumerates IAM users and roles using ListUsers and ListRoles to map out the AWS environment’s identity landscape.
5. The attacker inventories S3 buckets using ListBuckets to identify potential targets for data exfiltration or manipulation.
6. The attacker gathers information about EC2 instances, VPCs, and security groups using DescribeInstances, DescribeVpcs, and DescribeSecurityGroups to understand the network infrastructure.
7. The attacker lists available Lambda functions using ListFunctions to discover potential code execution opportunities.
8. The attacker collects logging configurations by calling DescribeTrails to identify logging gaps.

Impact

A successful attack leveraging these discovery techniques can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the AWS environment. By mapping out the cloud infrastructure, attackers can identify vulnerabilities and misconfigurations to exploit. Compromised AWS environments can result in data breaches, service disruptions, and financial losses.

Recommendation

• Deploy the Sigma rule AWS Discovery API Calls from VPN ASN by New Identity to detect anomalous discovery activity originating from VPN ASNs.
• Review the curated list of VPN-oriented ASNs within the rule query and update it with local intelligence from sources like RIPE, BGPView, or PeeringDB.
• Enable AWS CloudTrail logs to capture the necessary event data for the Sigma rule to function effectively.
• Tune the Sigma rule’s event.action filter to include additional discovery-related API calls relevant to your environment, based on baseline analysis.
• Investigate alerts generated by the Sigma rule by examining aws.cloudtrail.user_identity.arn, event.action, event.provider, source.ip, and source.as.organization.name.
• Implement automated response actions, such as revoking sessions or rotating keys, when unexpected discovery activity is detected from VPN ASNs.