AWS Suspicious EC2 Enumeration
Detection overview
Triggers
- Credential was observed performing a set of anomalous API requests that can be associated with the discovery or subsequent phases of an attack.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities.
- A security or IT service may intentionally be enumerating these APIs for monitoring reasons.
Business Impact
- Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspicious EC2 Enumeration
Possible root causes
Malicious Detection
Benign Detection
AWS Suspicious EC2 Enumeration
Example scenarios
AWS Suspicious EC2 Enumeration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspicious EC2 Enumeration
Steps to investigate
AWS Suspicious EC2 Enumeration
Related detections
No items found.