AWS EC2 Multi-Region DescribeInstances API Calls

edit

AWS EC2 Multi-Region DescribeInstances API Calls

edit

Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.

Rule type: esql

Rule indices: None

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: AWS EC2
  • Resources: Investigation Guide
  • Use Case: Threat Detection
  • Tactic: Discovery

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and Analysis

Investigating AWS EC2 Multi-Region DescribeInstances API Calls

This rule detects instances where a single AWS resource makes DescribeInstances API calls in over 10 regions within a 30-second window. This could indicate an adversary using compromised credentials or an exploited resource to enumerate AWS infrastructure across multiple regions. Attackers often leverage multi-region enumeration to assess the overall cloud environment and find potential targets for further exploitation.

Possible Investigation Steps

  • Identify the Resource and Actor:
  • Actor ARN: Check aws.cloudtrail.user_identity.arn to determine the exact identity performing the enumeration. Validate if the user is expected to perform region-wide DescribeInstances actions across multiple regions or if it seems unusual.
  • Account and Role Details: Examine cloud.account.id and aws.cloudtrail.user_identity.session_context.session_issuer for information about the AWS account and specific role associated with the action.
  • Analyze API Call Patterns:
  • Frequency and Scope: Review cloud.region field and confirm if this specific resource commonly performs DescribeInstances calls across multiple regions.
  • Time Window Context: Compare the timing of the API calls within the target_time_window to determine if this burst pattern aligns with expected system usage or is potentially malicious.
  • Check User Agent and Tooling:
  • Source and User Agent: Verify user_agent.original to determine if the request was made through expected tooling (e.g., AWS CLI or SDK) or a third-party tool that might indicate non-standard access.
  • Source IP Address: Look into source.address to identify the origin of the calls. Unusual IP addresses, especially those outside expected ranges, may indicate compromised access.
  • Evaluate for Potential Reconnaissance Behavior:
  • Account and Region Enumeration: Adversaries may use region-wide DescribeInstances requests to discover resources within an account across different regions. Confirm if this access aligns with operational practices or represents excessive access.
  • Permissions and Roles: Investigate the permissions associated with the user role. Excessive permissions on a compromised role may allow broader enumeration, which should be restricted.
  • Review Related CloudTrail Events:
  • Additional Describe or List Actions: Identify any associated Describe or List API calls that may indicate further enumeration of other AWS services within the same timeframe.
  • Potential Preceding Events: Look for preceding login or access events from the same actor, as these may indicate potential credential compromise or unauthorized escalation of privileges.

False Positive Analysis

  • Expected Enumeration: Certain administrative or automation scripts may conduct broad DescribeInstances API calls for inventory purposes. Review usage patterns or consult relevant teams to validate the purpose.
  • Automated Cloud Management: Some automated services may perform regional checks for compliance or backup operations. If this rule is triggered repeatedly by a known service, consider whitelisting or tuning accordingly.

Response and Remediation

  • Review IAM Policies and Role Permissions: Limit the permissions of roles associated with this resource, restricting unnecessary multi-region enumeration access.
  • Enforce Least Privilege Access: Ensure that permissions for DescribeInstances are tightly controlled and restricted to specific roles or accounts that require multi-region access.
  • Increase Monitoring and Alerts: Set up additional monitoring on this role or account for further signs of unauthorized activity or lateral movement attempts.
  • Access Review: Conduct a review of users and entities with DescribeInstances permissions, especially for multi-region capabilities, and ensure these permissions are necessary for their functions.

Additional Information

For further information on AWS DescribeInstances permissions and best practices, refer to the AWS DescribeInstances API documentation.

Rule query

edit
from logs-aws.cloudtrail-*

// filter for DescribeInstances API calls
| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"

// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)

// keep only the relevant fields
| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region

// count the number of unique regions and total API calls within the 30-second window
| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn

// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where region_count >= 10 and window_count >= 10

// sort the results by time windows in descending order
| sort target_time_window desc

Framework: MITRE ATT&CKTM