This detection flags unusual API activity on an AWS EC2 instance that may suggest an adversary is attempting to learn about or probe the cloud environment. This enumeration could be associated with reconnaissance or privilege escalation activities that allow an attacker to gain critical details on resources and configurations, potentially aiding in further stages of an attack.
Attackers who gain access to an EC2 instance may enumerate environment details to understand the account’s configuration. This knowledge helps adversaries plan escalation strategies by identifying users, privileges, and available services. Reconnaissance also aids in discovering critical assets like databases or sensitive data storage that attackers may target for data theft, lateral movement, or privilege escalation.
Legitimate applications or administrators may perform similar enumeration activities. Security and IT operations may run audits or monitoring tasks on EC2 instances to verify configurations, track resource usage, or ensure compliance with policies.
An attacker gains unauthorized access to an EC2 instance after compromising exposed SSH credentials. After logging in, they initiate AWS API calls to enumerate the environment.
The attacker queries IAM roles, looking for elevated privileges or unused roles, and inspects the list of EC2 instances, storage volumes, and other resources.
This enumeration helps the attacker identify pathways for privilege escalation, sensitive data locations, and potential lateral movement targets.
By mapping the environment, the attacker’s next steps may involve elevating privileges or exploiting vulnerable configurations to access additional resources.
A cloud operations team deploys a monitoring script to track resources within the AWS environment.
The script periodically queries EC2 instance statuses, IAM roles, and attached policies to ensure compliance with internal policies.
However, due to a misconfiguration, the script runs more frequently than intended and generates a high volume of API calls from specific EC2 instances. Vectra’s detection flags this as suspicious enumeration.
During investigation, the security team verifies the activity as legitimate but realizes the script’s frequency needs adjustment.
They update the script to reduce API call volume, ensuring compliance without triggering unnecessary alerts.
If this detection indicates a genuine threat, the organization faces significant risks:
Attackers who enumerate AWS resources may locate and access sensitive data, potentially leading to data breaches and regulatory compliance issues.
Enumeration allows attackers to identify misconfigurations and unused permissions, which they can exploit for privilege escalation and lateral movement.
Unauthorized exploration of resources can disrupt normal operations, especially if attackers alter configurations or consume critical resources.
Review the instance profile associated with the EC2 instance to check for any anomalous behavior or unusual permissions.
Correlate the API requests with CloudTrail logs to identify additional suspicious activity tied to the same instance or profile.
Confirm whether the actions were authorized and align with the instance’s intended function. Unauthorized activity may suggest compromise.
If a threat is confirmed, disable the credentials linked to the instance profile, revert unauthorized configuration changes, and conduct a full investigation into potential entry points.