Techniques
Sample rules
AWS Discovery API Calls from VPN ASN for the First Time by Identity
- source: elastic
- technicques:
- T1526
- T1580
Description
Flags the first time a given IAM principal invokes a narrow set of high-signal discovery APIs (credential check,
account and IAM enumeration, bucket and compute inventory, logging introspection) from a source IP whose autonomous
system number (ASN) matches a curated set commonly associated with consumer VPN brands, VPN-heavy hosting, and provider
networks referenced in public reporting on TeamPCP activity (for example 31173 Services AB AS39351 and Oy Crea Nova
Hosting Solution Ltd). Broad List*/Describe* patterns are intentionally omitted to reduce noise. Hosting ASNs are
heavily dual-use; validate source.as.number in your data and extend event.action only when your baseline allows it.
Detection logic
event.dataset: "aws.cloudtrail"
and event.outcome: "success"
and aws.cloudtrail.user_identity.arn:(* and not *AWSServiceRoleForConfig*)
and not aws.cloudtrail.user_identity.type: "AWSService"
and event.provider: (
"sts.amazonaws.com" or
"iam.amazonaws.com" or
"s3.amazonaws.com" or
"ec2.amazonaws.com" or
"lambda.amazonaws.com" or
"rds.amazonaws.com" or
"dynamodb.amazonaws.com" or
"kms.amazonaws.com" or
"cloudtrail.amazonaws.com"
)
and event.action: (
"GetCallerIdentity" or
"ListUsers" or
"ListRoles" or
"ListAccessKeys" or
"GetAccountSummary" or
"ListAccountAliases" or
"ListGroups" or
"ListMFADevices" or
"ListBuckets" or
"DescribeInstances" or
"DescribeRegions" or
"DescribeVpcs" or
"DescribeSecurityGroups" or
"ListFunctions" or
"DescribeDBInstances" or
"DescribeDBSnapshots" or
"ListTables" or
"ListKeys" or
"ListAliases" or
"DescribeTrails" or
"LookupEvents"
)
and source.as.number: (
216025 or
57138 or
207137 or
212238 or
199218 or
209103 or
209854 or
141039 or
147049 or
53314 or
60068 or
9009 or
20473 or
63949 or
39351 or
51765 or
204187 or
29066 or
206092
)