<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Service_quotas - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/service_quotas/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 14 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/service_quotas/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rapid Multi-Region AWS Service Quota Enumeration for EC2 vCPU Limits</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-service-quotas-discovery/</link><pubDate>Thu, 14 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-service-quotas-discovery/</guid><description>An AWS principal rapidly enumerates EC2 on-demand vCPU service quotas across multiple regions, indicative of cloud infrastructure discovery for malicious purposes such as cryptocurrency mining or botnet hosting.</description><content:encoded><![CDATA[<p>This alert identifies suspicious activity related to the enumeration of AWS service quotas. Specifically, it detects a single AWS principal making GetServiceQuota API calls for the EC2 service quota L-1216C47A (vCPU limit for on-demand EC2 instances) across more than 10 AWS regions within a 30-second window. This behavior is atypical for normal administrative tasks and is often associated with adversaries attempting to assess available compute resources for malicious activities. Such activities include cryptocurrency mining, malware hosting, or establishing command-and-control infrastructure. This detection highlights potential cloud infrastructure discovery using compromised credentials or a compromised workload. The rule was last updated on 2026-04-10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account through compromised credentials or a compromised workload.</li>
<li>The attacker uses the AWS API to enumerate service quotas.</li>
<li>The attacker issues GetServiceQuota API calls.</li>
<li>The API calls specify the &quot;ec2&quot; service and the quota code &quot;L-1216C47A&quot;, targeting on-demand vCPU limits.</li>
<li>These calls are made across more than 10 different AWS regions within a short time frame (30 seconds).</li>
<li>The attacker analyzes the results to identify regions with sufficient vCPU capacity for their purposes.</li>
<li>Based on discovered capacity, the attacker may proceed to launch EC2 instances for malicious activities like crypto mining.</li>
<li>The attacker deploys and executes malicious payloads on the provisioned instances.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised AWS accounts can lead to significant resource abuse and financial losses. Rapid enumeration of EC2 service quotas often precedes the deployment of compute-intensive workloads, such as cryptocurrency miners or botnet infrastructure, which can consume substantial resources and generate unexpected cloud costs. Successful exploitation can also enable the hosting of malware or the establishment of command-and-control servers, potentially impacting numerous downstream victims. While the rule has a low severity, the activity it detects may be a precursor to more serious malicious activity and should be investigated.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune it for your environment to detect rapid multi-region service quota enumeration.</li>
<li>Review the <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> from the CloudTrail logs to identify the source of the API calls and validate its legitimacy.</li>
<li>Investigate the <code>source.ip</code>, <code>source.as.organization.name</code>, and <code>user_agent.original</code> from the CloudTrail logs to assess the origin of the requests and identify any suspicious or unexpected sources.</li>
<li>Correlate the detected activity with subsequent EC2-related actions like <code>RunInstances</code> or <code>CreateLaunchTemplate</code> in CloudTrail to identify potential resource abuse.</li>
<li>Implement tighter IAM permissions to restrict access to Service Quotas APIs where not explicitly required, as described in the AWS Knowledge Center security best practices.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>service_quotas</category><category>discovery</category></item></channel></rss>