<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Organizations - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-organizations/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-organizations/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Account Discovery By Rare User</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-account-discovery/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-account-discovery/</guid><description>Detects the first-time enumeration of AWS Organizations or IAM accounts by a user, potentially indicating reconnaissance by compromised credentials.</description><content:encoded><![CDATA[<p>This detection identifies when a user performs AWS Organizations or IAM account enumeration API calls for the first time within a defined lookback window. Attackers who have compromised credentials often map out an organization's structure, including accounts, organizational units (OUs), roots, and delegated administrators, as well as account-level metadata like aliases, using the AWS CLI or SDKs. This activity is detected via a New Terms rule, focusing on rare occurrences of a <code>cloud.account.id</code> and <code>user.name</code> pair associated with these enumeration actions. The rule aims to highlight potentially malicious reconnaissance activities within an AWS environment by identifying unusual account discovery patterns. This detection is relevant for AWS environments and relies on CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to AWS credentials through methods such as phishing or credential stuffing.</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS environment, likely through the AWS CLI or SDK.</li>
<li>The attacker executes AWS CLI commands or SDK calls to enumerate the organization structure, starting with <code>DescribeOrganization</code> or <code>ListAccounts</code>.</li>
<li>The attacker may then proceed to enumerate Organizational Units using <code>ListOrganizationalUnitsForParent</code>.</li>
<li>The attacker gathers account-level information, such as aliases, using <code>ListAccountAliases</code> or <code>GetAccountSummary</code>.</li>
<li>The attacker reviews IAM policies and roles using actions such as <code>ListPolicies</code>.</li>
<li>The attacker analyzes the gathered information to identify potential targets or weaknesses within the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful AWS account discovery can lead to significant breaches. Attackers can identify critical assets, privilege escalation paths, and potential vulnerabilities within the AWS environment. This information can be used to move laterally, exfiltrate sensitive data, or deploy malicious infrastructure. The impact is amplified in multi-account environments, where attackers can map out the entire organization structure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Account Discovery By Rare User</code> to your SIEM and tune the threshold and lookback window for your environment.</li>
<li>Review the investigation guide linked in the rule's note section, especially the &quot;Possible investigation steps&quot; which details important fields to investigate.</li>
<li>Filter out known good <code>user.name</code> and <code>cloud.account.id</code> pairs by adding exceptions to the Sigma rule.</li>
<li>Monitor CloudTrail logs for unusual API calls related to account enumeration, focusing on the actions listed in the rule query.</li>
<li>Enforce the principle of least privilege for IAM roles and policies to limit the scope of potential damage from compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>discovery</category><category>account-enumeration</category></item></channel></rss>