<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon KMS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-kms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 04 Nov 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-kms/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Discovery API Calls via CLI from a Single Resource</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls-via-cli/</link><pubDate>Mon, 04 Nov 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls-via-cli/</guid><description>A single AWS resource is making multiple read-only discovery API calls via the AWS CLI within a 10-second window, indicating potential reconnaissance attempts using compromised credentials or a compromised instance.</description><content:encoded><![CDATA[<p>This detection identifies suspicious AWS infrastructure discovery activity. Specifically, it detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI. This activity may indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. The rule excludes service accounts and console behavior and filters specifically for AWS CLI usage. This behavior is often an early phase of compromise, helping adversaries to identify potential targets for further exploitation or gain a better understanding of the target's infrastructure. This detection focuses on AWS CloudTrail logs. The first version of this rule was created on 2024/11/04 and updated on 2026/04/10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to AWS credentials through methods like credential stuffing or phishing.</li>
<li>The attacker uses the AWS CLI with the compromised credentials from a compromised host.</li>
<li>The attacker executes multiple 'Describe', 'List', 'Get', or 'Generate' API calls, such as <code>DescribeInstances</code>, <code>ListRoles</code>, <code>ListAccessKeys</code>, or <code>ListBuckets</code>.</li>
<li>The attacker gathers information about the AWS environment, including EC2 instances, IAM roles, S3 buckets, and KMS keys.</li>
<li>The attacker identifies potential targets for further exploitation based on the gathered information.</li>
<li>The attacker attempts to escalate privileges or move laterally within the AWS environment.</li>
<li>The attacker may exfiltrate sensitive data from discovered resources or deploy malicious workloads.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful discovery of an AWS environment can enable attackers to identify and exploit vulnerable resources, potentially leading to data breaches, service disruptions, or unauthorized access to sensitive information. The low severity reflects the early stage of reconnaissance, but a successful attack can still lead to significant damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging in all regions to capture API activity and enable the detection rule.</li>
<li>Deploy the Sigma rule &quot;AWS Discovery API Calls via CLI from a Single Resource&quot; to your SIEM and tune the threshold based on your environment's baseline activity.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the identified actor, source IP, and API call patterns.</li>
<li>Implement strict IAM policies and multi-factor authentication (MFA) to prevent credential compromise.</li>
<li>Monitor the source IPs (<code>Esql.source_ip_values</code>) for unusual or external activity using a firewall.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>discovery</category><category>aws-cli</category><category>threat-detection</category></item></channel></rss>