{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service_quotas/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2","Service Quotas"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","service_quotas","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert identifies suspicious activity related to the enumeration of AWS service quotas. Specifically, it detects a single AWS principal making GetServiceQuota API calls for the EC2 service quota L-1216C47A (vCPU limit for on-demand EC2 instances) across more than 10 AWS regions within a 30-second window. This behavior is atypical for normal administrative tasks and is often associated with adversaries attempting to assess available compute resources for malicious activities. Such activities include cryptocurrency mining, malware hosting, or establishing command-and-control infrastructure. This detection highlights potential cloud infrastructure discovery using compromised credentials or a compromised workload. The rule was last updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account through compromised credentials or a compromised workload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS API to enumerate service quotas.\u003c/li\u003e\n\u003cli\u003eThe attacker issues GetServiceQuota API calls.\u003c/li\u003e\n\u003cli\u003eThe API calls specify the \u0026quot;ec2\u0026quot; service and the quota code \u0026quot;L-1216C47A\u0026quot;, targeting on-demand vCPU limits.\u003c/li\u003e\n\u003cli\u003eThese calls are made across more than 10 different AWS regions within a short time frame (30 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the results to identify regions with sufficient vCPU capacity for their purposes.\u003c/li\u003e\n\u003cli\u003eBased on discovered capacity, the attacker may proceed to launch EC2 instances for malicious activities like crypto mining.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys and executes malicious payloads on the provisioned instances.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised AWS accounts can lead to significant resource abuse and financial losses. Rapid enumeration of EC2 service quotas often precedes the deployment of compute-intensive workloads, such as cryptocurrency miners or botnet infrastructure, which can consume substantial resources and generate unexpected cloud costs. Successful exploitation can also enable the hosting of malware or the establishment of command-and-control servers, potentially impacting numerous downstream victims. While the rule has a low severity, the activity it detects may be a precursor to more serious malicious activity and should be investigated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your environment to detect rapid multi-region service quota enumeration.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e from the CloudTrail logs to identify the source of the API calls and validate its legitimacy.\u003c/li\u003e\n\u003cli\u003eInvestigate the \u003ccode\u003esource.ip\u003c/code\u003e, \u003ccode\u003esource.as.organization.name\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e from the CloudTrail logs to assess the origin of the requests and identify any suspicious or unexpected sources.\u003c/li\u003e\n\u003cli\u003eCorrelate the detected activity with subsequent EC2-related actions like \u003ccode\u003eRunInstances\u003c/code\u003e or \u003ccode\u003eCreateLaunchTemplate\u003c/code\u003e in CloudTrail to identify potential resource abuse.\u003c/li\u003e\n\u003cli\u003eImplement tighter IAM permissions to restrict access to Service Quotas APIs where not explicitly required, as described in the AWS Knowledge Center security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-14T12:00:00Z","date_published":"2024-11-14T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-service-quotas-discovery/","summary":"An AWS principal rapidly enumerates EC2 on-demand vCPU service quotas across multiple regions, indicative of cloud infrastructure discovery for malicious purposes such as cryptocurrency mining or botnet hosting.","title":"Rapid Multi-Region AWS Service Quota Enumeration for EC2 vCPU Limits","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-service-quotas-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Service_quotas","version":"https://jsonfeed.org/version/1.1"}