organization and security administrators, billing tooling, landing-zone automation, and delegated administrator workflows may call these apis legitimately. interactive or one-off use from unusual principals warrants review.

Techniques

Sample rules

AWS Account Discovery By Rare User

source: elastic
technicques:
- T1087
- T1580

Description

Identifies the first time, within a lookback window, an identity performs AWS Organizations or IAM account enumeration APIs. Attackers with compromised credentials often map the organization (accounts, OUs, roots, delegated admins) and account-level metadata (aliases, summary) using the AWS CLI or SDKs. This is a New Terms rule detecting a rare occurrence of the cloud.account.id and user.name pair for these actions.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and source.ip:*
    and not aws.cloudtrail.session_credential_from_console: "true"
    and not aws.cloudtrail.user_identity.type: "AWSService"
    and (
        (
            event.provider: "organizations.amazonaws.com"
            and event.action: (
                "DescribeOrganization" or "DescribeOrgnanizationalUnit" or "ListAccounts" or "ListRoots"
                or "ListOrganizationalUnitsForParent" or "ListAccountsForParent" or "ListPolicies"
                or "ListAWSServiceAccessForOrganization" or "ListDelegatedAdministrators"
                or "ListDelegatedServicesForAccount" or "DescribeResourcePolicy"
            )
        )
        or (
            event.provider: "iam.amazonaws.com"
            and event.action: ("ListAccountAliases" or "GetAccountSummary")
        )
    )