Skip to content
Threat Feed
high threat

AWS Discovery API Calls from VPN ASN for the First Time by Identity

This threat detection rule identifies initial reconnaissance activities within AWS by flagging an IAM principal's first-time invocation of sensitive discovery APIs, such as GetCallerIdentity, ListUsers, ListBuckets, and DescribeInstances, when the originating IP address is associated with consumer VPNs, high-usage hosting providers, or networks linked to threat groups like TeamPCP, indicating an attacker performing enumeration of cloud resources from a suspicious network origin.

This brief details detection of suspicious AWS discovery API calls originating from Autonomous System Numbers (ASNs) commonly associated with consumer VPN services, VPN-heavy hosting providers, or networks previously linked to groups such as TeamPCP. The detection flags the first time a specific AWS Identity and Access Management (IAM) principal is observed invoking a curated list of high-signal discovery APIs (e.g., GetCallerIdentity, ListUsers, ListBuckets, DescribeInstances) from an IP address mapped to one of the identified suspicious ASNs. This activity is indicative of an adversary conducting reconnaissance in an AWS environment, attempting to gather information about account configurations, IAM users, roles, and deployed resources. While some of these ASNs are dual-use (legitimate hosting providers), their association with sensitive API calls from a previously unseen principal, as detected by this rule, suggests potential unauthorized access and enumeration attempts.

Impact

Successful execution of these discovery activities allows attackers to gain critical insights into the target AWS environment. This reconnaissance can reveal the structure of an organization's cloud infrastructure, identify potential misconfigurations, map out IAM users and their permissions, and locate valuable data stored in S3 buckets or other services. This information is crucial for an attacker to plan subsequent stages of an attack, such as privilege escalation, lateral movement, or data exfiltration. The financial impact can include unauthorized resource usage, data breaches, and regulatory fines. Operational impact can manifest as service disruptions, loss of data integrity, and reputational damage.

Recommendation

  • Deploy the Sigma rule in this brief to your SIEM, noting that the "first time" detection is an Elastic-specific feature and the Sigma rule will detect any matching event.
  • Monitor AWS CloudTrail logs for event.action values such as GetCallerIdentity, ListUsers, ListBuckets, DescribeInstances originating from source.as.number values identified in the rule.
  • Review aws.cloudtrail.user_identity.arn, event.action, and source.as.number for any alerts generated by the rule, comparing against your organization's approved remote access patterns.
  • Implement GeoIP and ASN enrichment for source.ip to ensure source.as.number is populated in your AWS CloudTrail logs, enabling this detection.
  • Rotate keys and revoke sessions for any aws.cloudtrail.user_identity.access_key_id found to be associated with suspicious activity.
  • Regularly review and update the list of suspicious ASNs using resources like BGP.tools, RIPE, or peeringdb, as referenced in the rule's note.

Detection coverage 1

AWS Discovery API Calls from Suspected VPN/Hosting ASN

high

Detects high-signal AWS discovery API calls (e.g., GetCallerIdentity, ListUsers) from ASNs associated with consumer VPNs, dual-use hosting providers, or networks linked to known threat actors like TeamPCP. This rule flags the combination of suspicious origin and reconnaissance activity.

sigma tactics: discovery techniques: T1526, T1580 sources: aws.cloudtrail

Detection queries are available on the platform. Get full rules →