Techniques
Sample rules
AWS EC2 Multi-Region DescribeInstances API Calls
- source: elastic
- technicques:
- T1580
Description
Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second
window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.
Detection logic
from logs-aws.cloudtrail-*
// filter for DescribeInstances API calls
| where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances"
// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
// keep only the relevant fields
| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region
// count the number of unique regions and total API calls within the 30-second window
| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn
// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where region_count >= 10 and window_count >= 10
// sort the results by time windows in descending order
| sort target_time_window desc