{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aws-cli/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS","Amazon EC2","Amazon IAM","Amazon S3","Amazon KMS","AWS CLI"],"_cs_severities":["low"],"_cs_tags":["aws","cloudtrail","discovery","aws-cli","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies suspicious AWS infrastructure discovery activity. Specifically, it detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI. This activity may indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. The rule excludes service accounts and console behavior and filters specifically for AWS CLI usage. This behavior is often an early phase of compromise, helping adversaries to identify potential targets for further exploitation or gain a better understanding of the target's infrastructure. This detection focuses on AWS CloudTrail logs. The first version of this rule was created on 2024/11/04 and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to AWS credentials through methods like credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI with the compromised credentials from a compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes multiple 'Describe', 'List', 'Get', or 'Generate' API calls, such as \u003ccode\u003eDescribeInstances\u003c/code\u003e, \u003ccode\u003eListRoles\u003c/code\u003e, \u003ccode\u003eListAccessKeys\u003c/code\u003e, or \u003ccode\u003eListBuckets\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about the AWS environment, including EC2 instances, IAM roles, S3 buckets, and KMS keys.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potential targets for further exploitation based on the gathered information.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data from discovered resources or deploy malicious workloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful discovery of an AWS environment can enable attackers to identify and exploit vulnerable resources, potentially leading to data breaches, service disruptions, or unauthorized access to sensitive information. The low severity reflects the early stage of reconnaissance, but a successful attack can still lead to significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging in all regions to capture API activity and enable the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Discovery API Calls via CLI from a Single Resource\u0026quot; to your SIEM and tune the threshold based on your environment's baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the identified actor, source IP, and API call patterns.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies and multi-factor authentication (MFA) to prevent credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor the source IPs (\u003ccode\u003eEsql.source_ip_values\u003c/code\u003e) for unusual or external activity using a firewall.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-04T00:00:00Z","date_published":"2024-11-04T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls-via-cli/","summary":"A single AWS resource is making multiple read-only discovery API calls via the AWS CLI within a 10-second window, indicating potential reconnaissance attempts using compromised credentials or a compromised instance.","title":"AWS Discovery API Calls via CLI from a Single Resource","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls-via-cli/"}],"language":"en","title":"CraftedSignal Threat Feed - Aws-Cli","version":"https://jsonfeed.org/version/1.1"}