{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aws-cloudtrail/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudTrail","AWS Identity and Access Management (IAM)","Amazon S3","Amazon EC2","AWS Lambda","Amazon RDS","Amazon DynamoDB","AWS Key Management Service (KMS)","AWS Security Token Service (STS)"],"_cs_severities":["high"],"_cs_tags":["aws-cloudtrail","iam","discovery","cloud","identity","threat-detection"],"_cs_type":"threat","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis brief details detection of suspicious AWS discovery API calls originating from Autonomous System Numbers (ASNs) commonly associated with consumer VPN services, VPN-heavy hosting providers, or networks previously linked to groups such as TeamPCP. The detection flags the \u003cem\u003efirst time\u003c/em\u003e a specific AWS Identity and Access Management (IAM) principal is observed invoking a curated list of high-signal discovery APIs (e.g., \u003ccode\u003eGetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListUsers\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e) from an IP address mapped to one of the identified suspicious ASNs. This activity is indicative of an adversary conducting reconnaissance in an AWS environment, attempting to gather information about account configurations, IAM users, roles, and deployed resources. While some of these ASNs are dual-use (legitimate hosting providers), their association with sensitive API calls from a previously unseen principal, as detected by this rule, suggests potential unauthorized access and enumeration attempts.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these discovery activities allows attackers to gain critical insights into the target AWS environment. This reconnaissance can reveal the structure of an organization's cloud infrastructure, identify potential misconfigurations, map out IAM users and their permissions, and locate valuable data stored in S3 buckets or other services. This information is crucial for an attacker to plan subsequent stages of an attack, such as privilege escalation, lateral movement, or data exfiltration. The financial impact can include unauthorized resource usage, data breaches, and regulatory fines. Operational impact can manifest as service disruptions, loss of data integrity, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule\u003c/strong\u003e in this brief to your SIEM, noting that the \u0026quot;first time\u0026quot; detection is an Elastic-specific feature and the Sigma rule will detect \u003cem\u003eany\u003c/em\u003e matching event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor AWS CloudTrail logs\u003c/strong\u003e for \u003ccode\u003eevent.action\u003c/code\u003e values such as \u003ccode\u003eGetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListUsers\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e originating from \u003ccode\u003esource.as.number\u003c/code\u003e values identified in the rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003eevent.action\u003c/code\u003e, and \u003ccode\u003esource.as.number\u003c/code\u003e\u003c/strong\u003e for any alerts generated by the rule, comparing against your organization's approved remote access patterns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement GeoIP and ASN enrichment\u003c/strong\u003e for \u003ccode\u003esource.ip\u003c/code\u003e to ensure \u003ccode\u003esource.as.number\u003c/code\u003e is populated in your AWS CloudTrail logs, enabling this detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRotate keys and revoke sessions\u003c/strong\u003e for any \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e found to be associated with suspicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegularly review and update the list of suspicious ASNs\u003c/strong\u003e using resources like BGP.tools, RIPE, or peeringdb, as referenced in the rule's \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T14:02:20Z","date_published":"2026-07-15T14:02:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-discovery-vpn-asn/","summary":"This threat detection rule identifies initial reconnaissance activities within AWS by flagging an IAM principal's first-time invocation of sensitive discovery APIs, such as GetCallerIdentity, ListUsers, ListBuckets, and DescribeInstances, when the originating IP address is associated with consumer VPNs, high-usage hosting providers, or networks linked to threat groups like TeamPCP, indicating an attacker performing enumeration of cloud resources from a suspicious network origin.","title":"AWS Discovery API Calls from VPN ASN for the First Time by Identity","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-discovery-vpn-asn/"}],"language":"en","title":"CraftedSignal Threat Feed - Aws-Cloudtrail","version":"https://jsonfeed.org/version/1.1"}