AWS CloudTrail

An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.

An attacker may add a new route to an AWS route table, potentially redirecting network traffic for malicious purposes such as defense impairment or data exfiltration.

Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.

Adversaries may abuse the AWS GetSigninToken API to create temporary federated credentials for obfuscating compromised AWS access keys and pivoting to console sessions without MFA, potentially leading to lateral movement within the AWS environment.

Detection of AWS CloudTrail being disabled, deleted, or updated by an adversary to impair defenses and evade detection.

This rule detects lateral movement in AWS environments originating from Kubernetes service accounts by identifying instances where credentials obtained for a service account are used for multiple distinct AWS control-plane actions, potentially indicating unauthorized access.

The AWS STS GetSessionToken API is being misused to create temporary tokens for lateral movement and privilege escalation within AWS environments by potentially compromised IAM users.

Detection of AWS Network Access Control List (ACL) deletion via CloudTrail logs indicating potential unauthorized access or data exfiltration.

An attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.

Attackers modify AWS CloudTrail settings using UpdateTrail events to evade detection by disabling or limiting logging, as indicated by non-console user agents.

An adversary may delete AWS CloudTrail logs to evade detection and operate stealthily within a compromised environment, using the `DeleteTrail` event while excluding actions from the AWS console.

The AWS root account, which grants unrestricted access to all resources within an AWS account, was used, potentially indicating unauthorized activity, privilege escalation, or a breach of security best practices.

The analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR by monitoring `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic, potentially leading to unauthorized network access.

Detection of AWS Config Service disabling, potentially indicating an attempt to impair defenses by stopping configuration recording and delivery.