AWS Suspicious EC2 Enumeration

AWS Suspicious EC2 Enumeration

Detection overview

This detection flags unusual API activity on an AWS EC2 instance that may suggest an adversary is attempting to learn about or probe the cloud environment. This enumeration could be associated with reconnaissance or privilege escalation activities that allow an attacker to gain critical details on resources and configurations, potentially aiding in further stages of an attack.

Triggers

  • Credential was observed performing a set of anomalous API requests that can be associated with the discovery or subsequent phases of an attack.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities.
  • A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

  • Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspicious EC2 Enumeration

Possible root causes

Malicious Detection

Attackers who gain access to an EC2 instance may enumerate environment details to understand the account’s configuration. This knowledge helps adversaries plan escalation strategies by identifying users, privileges, and available services. Reconnaissance also aids in discovering critical assets like databases or sensitive data storage that attackers may target for data theft, lateral movement, or privilege escalation.

Benign Detection

Legitimate applications or administrators may perform similar enumeration activities. Security and IT operations may run audits or monitoring tasks on EC2 instances to verify configurations, track resource usage, or ensure compliance with policies.

AWS Suspicious EC2 Enumeration

Example scenarios

1. Unauthorized Access via Compromised EC2 Instance

An attacker gains unauthorized access to an EC2 instance after compromising exposed SSH credentials. After logging in, they initiate AWS API calls to enumerate the environment.

The attacker queries IAM roles, looking for elevated privileges or unused roles, and inspects the list of EC2 instances, storage volumes, and other resources.

This enumeration helps the attacker identify pathways for privilege escalation, sensitive data locations, and potential lateral movement targets.

By mapping the environment, the attacker’s next steps may involve elevating privileges or exploiting vulnerable configurations to access additional resources.

2. Misconfigured Monitoring Script in a Production Environment

A cloud operations team deploys a monitoring script to track resources within the AWS environment.

The script periodically queries EC2 instance statuses, IAM roles, and attached policies to ensure compliance with internal policies.

However, due to a misconfiguration, the script runs more frequently than intended and generates a high volume of API calls from specific EC2 instances. Vectra’s detection flags this as suspicious enumeration.

During investigation, the security team verifies the activity as legitimate but realizes the script’s frequency needs adjustment.

They update the script to reduce API call volume, ensuring compliance without triggering unnecessary alerts.

AWS Suspicious EC2 Enumeration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Data exposure risk

Attackers who enumerate AWS resources may locate and access sensitive data, potentially leading to data breaches and regulatory compliance issues.

Increased attack surface

Enumeration allows attackers to identify misconfigurations and unused permissions, which they can exploit for privilege escalation and lateral movement.

Operational disruption

Unauthorized exploration of resources can disrupt normal operations, especially if attackers alter configurations or consume critical resources.

AWS Suspicious EC2 Enumeration

Steps to investigate

AWS Suspicious EC2 Enumeration

MITRE ATT&CK techniques covered

AWS Suspicious EC2 Enumeration

Related detections

No items found.

FAQs

What does this detection mean for my AWS environment?

How does Vectra determine unusual API activity?

Could legitimate users trigger this detection?

What if no malicious activity is confirmed?

What should I do if malicious activity is suspected?

How can I prevent suspicious enumeration on EC2 instances?

How does this relate to privilege escalation?

What configurations should I review if this alert triggers?

How is this detection related to lateral movement?

Which logs are most relevant for further analysis?