Loading

AWS EC2 Multi-Region DescribeInstances API Calls

Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.

Rule type: esql
Rule indices:

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: AWS EC2
  • Resources: Investigation Guide
  • Use Case: Threat Detection
  • Tactic: Discovery

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects instances where a single AWS resource makes DescribeInstances API calls in over 10 regions within a 30-second window. This could indicate an adversary using compromised credentials or an exploited resource to enumerate AWS infrastructure across multiple regions. Attackers often leverage multi-region enumeration to assess the overall cloud environment and find potential targets for further exploitation.

  • Identify the Resource and Actor:

    • Actor ARN: Check aws.cloudtrail.user_identity.arn to determine the exact identity performing the enumeration. Validate if the user is expected to perform region-wide DescribeInstances actions across multiple regions or if it seems unusual.
    • Account and Role Details: Examine cloud.account.id and aws.cloudtrail.user_identity.session_context.session_issuer for information about the AWS account and specific role associated with the action.

  • Analyze API Call Patterns:

    • Frequency and Scope: Review cloud.region field and confirm if this specific resource commonly performs DescribeInstances calls across multiple regions.
    • Time Window Context: Compare the timing of the API calls within the target_time_window to determine if this burst pattern aligns with expected system usage or is potentially malicious.

  • Check User Agent and Tooling:

    • Source and User Agent: Verify user_agent.original to determine if the request was made through expected tooling (e.g., AWS CLI or SDK) or a third-party tool that might indicate non-standard access.
    • Source IP Address: Look into source.address to identify the origin of the calls. Unusual IP addresses, especially those outside expected ranges, may indicate compromised access.

  • Evaluate for Potential Reconnaissance Behavior:

    • Account and Region Enumeration: Adversaries may use region-wide DescribeInstances requests to discover resources within an account across different regions. Confirm if this access aligns with operational practices or represents excessive access.
    • Permissions and Roles: Investigate the permissions associated with the user role. Excessive permissions on a compromised role may allow broader enumeration, which should be restricted.

  • Review Related CloudTrail Events:

    • Additional Describe or List Actions: Identify any associated Describe or List API calls that may indicate further enumeration of other AWS services within the same timeframe.
    • Potential Preceding Events: Look for preceding login or access events from the same actor, as these may indicate potential credential compromise or unauthorized escalation of privileges.
  • Expected Enumeration: Certain administrative or automation scripts may conduct broad DescribeInstances API calls for inventory purposes. Review usage patterns or consult relevant teams to validate the purpose.
  • Automated Cloud Management: Some automated services may perform regional checks for compliance or backup operations. If this rule is triggered repeatedly by a known service, consider whitelisting or tuning accordingly.
  • Review IAM Policies and Role Permissions: Limit the permissions of roles associated with this resource, restricting unnecessary multi-region enumeration access.
  • Enforce Least Privilege Access: Ensure that permissions for DescribeInstances are tightly controlled and restricted to specific roles or accounts that require multi-region access.
  • Increase Monitoring and Alerts: Set up additional monitoring on this role or account for further signs of unauthorized activity or lateral movement attempts.
  • Access Review: Conduct a review of users and entities with DescribeInstances permissions, especially for multi-region capabilities, and ensure these permissions are necessary for their functions.

For further information on AWS DescribeInstances permissions and best practices, refer to the AWS DescribeInstances API documentation.

from logs-aws.cloudtrail-*

// filter for DescribeInstances API calls
| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"

// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)

// keep only the relevant fields
| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region

// count the number of unique regions and total API calls within the 30-second window
| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn

// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where region_count >= 10 and window_count >= 10

// sort the results by time windows in descending order
| sort target_time_window desc

Framework: MITRE ATT&CK