{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/provisioning/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","provisioning","anomaly"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies cloud provisioning activities originating from previously unseen regions within an AWS environment. It leverages AWS CloudTrail logs to pinpoint events where resources are started or created and compares these events against a baseline of known, trusted regions. The analytic focuses on successful resource provisioning actions. This activity is flagged as anomalous because it can signal unauthorized access, compromised credentials, or internal misuse of cloud resources from unfamiliar locations. Successfully exploiting this activity could lead to unauthorized resource creation, data exfiltration, or further compromise of the cloud infrastructure. The original Splunk detection was published in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a user account via compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the AWS Management Console or utilizes AWS CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a cloud provisioning action, such as creating a new EC2 instance or launching a new service, from a region not previously associated with the account.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u0026quot;started\u0026quot; or \u0026quot;created\u0026quot; event for the provisioned resource, including the source IP address, user, object, and command used.\u003c/li\u003e\n\u003cli\u003eThe detection logic identifies the previously unseen region based on the source IP address using GeoIP enrichment.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered, indicating anomalous provisioning activity from an unfamiliar region.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to deploy resources in the new region, potentially for malicious purposes such as cryptocurrency mining or hosting command and control infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized resource deployment, potentially resulting in significant financial costs. Data exfiltration from newly provisioned resources could expose sensitive data leading to compliance violations, legal ramifications, and reputational damage. Further, unauthorized access could allow the attacker to establish a foothold within the cloud environment, enabling lateral movement and further compromise of other resources. The impact will vary based on the compromised user's permissions and the scope of resources the attacker can provision.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging in all regions to capture cloud provisioning events.\u003c/li\u003e\n\u003cli\u003eRun the baseline search to build the \u003ccode\u003epreviously_seen_cloud_provisioning_activity_sources\u003c/code\u003e lookup table as described in the \u0026quot;How to Implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCloud Provisioning Activity From Previously Unseen Region\u003c/code\u003e to your SIEM and tune it based on your organization's baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003esrc\u003c/code\u003e, \u003ccode\u003eRegion\u003c/code\u003e, \u003ccode\u003euser\u003c/code\u003e, \u003ccode\u003eobject\u003c/code\u003e, and \u003ccode\u003ecommand\u003c/code\u003e fields to understand the context of the provisioning activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM permissions to follow the principle of least privilege, limiting the resources that a compromised user can access or provision.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-provisioning-anomaly/","summary":"This analytic detects cloud provisioning activities originating from previously unseen regions by identifying resource creation events and cross-referencing them with a baseline of known regions, potentially indicating unauthorized access or misuse of cloud resources.","title":"Cloud Provisioning Activity From Previously Unseen Region","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-provisioning-anomaly/"}],"language":"en","title":"CraftedSignal Threat Feed - Provisioning","version":"https://jsonfeed.org/version/1.1"}