AWS Discovery API Calls via CLI from a Single Resource
A single AWS resource is making multiple read-only discovery API calls via the AWS CLI within a 10-second window, indicating potential reconnaissance attempts using compromised credentials or a compromised instance.
This detection identifies suspicious AWS infrastructure discovery activity. Specifically, it detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI. This activity may indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. The rule excludes service accounts and console behavior and filters specifically for AWS CLI usage. This behavior is often an early phase of compromise, helping adversaries to identify potential targets for further exploitation or gain a better understanding of the target's infrastructure. This detection focuses on AWS CloudTrail logs. The first version of this rule was created on 2024/11/04 and updated on 2026/04/10.
Attack Chain
- An attacker gains access to AWS credentials through methods like credential stuffing or phishing.
- The attacker uses the AWS CLI with the compromised credentials from a compromised host.
- The attacker executes multiple 'Describe', 'List', 'Get', or 'Generate' API calls, such as
DescribeInstances,ListRoles,ListAccessKeys, orListBuckets. - The attacker gathers information about the AWS environment, including EC2 instances, IAM roles, S3 buckets, and KMS keys.
- The attacker identifies potential targets for further exploitation based on the gathered information.
- The attacker attempts to escalate privileges or move laterally within the AWS environment.
- The attacker may exfiltrate sensitive data from discovered resources or deploy malicious workloads.
Impact
Successful discovery of an AWS environment can enable attackers to identify and exploit vulnerable resources, potentially leading to data breaches, service disruptions, or unauthorized access to sensitive information. The low severity reflects the early stage of reconnaissance, but a successful attack can still lead to significant damage.
Recommendation
- Enable AWS CloudTrail logging in all regions to capture API activity and enable the detection rule.
- Deploy the Sigma rule "AWS Discovery API Calls via CLI from a Single Resource" to your SIEM and tune the threshold based on your environment's baseline activity.
- Investigate any alerts generated by the Sigma rule, focusing on the identified actor, source IP, and API call patterns.
- Implement strict IAM policies and multi-factor authentication (MFA) to prevent credential compromise.
- Monitor the source IPs (
Esql.source_ip_values) for unusual or external activity using a firewall.
Detection coverage 2
AWS Discovery API Calls via CLI from a Single Source IP
mediumDetects multiple AWS discovery API calls from a single source IP via the AWS CLI within a short time frame.
AWS Multiple Discovery API Calls by User ARN via CLI
lowDetects multiple distinct AWS discovery API calls by a single user ARN via AWS CLI within a 10 second window.
Detection queries are available on the platform. Get full rules →