AWS Suspicious EC2 Enumeration
Detection overview
This detection flags unusual API activity on an AWS EC2 instance that may suggest an adversary is attempting to learn about or probe the cloud environment. This enumeration could be associated with reconnaissance or privilege escalation activities that allow an attacker to gain critical details on resources and configurations, potentially aiding in further stages of an attack.
Triggers
- Credential was observed performing a set of anomalous API requests that can be associated with the discovery or subsequent phases of an attack.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities.
- A security or IT service may intentionally be enumerating these APIs for monitoring reasons.
Business Impact
- Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspicious EC2 Enumeration
Possible root causes
Malicious Detection
Attackers who gain access to an EC2 instance may enumerate environment details to understand the account’s configuration. This knowledge helps adversaries plan escalation strategies by identifying users, privileges, and available services. Reconnaissance also aids in discovering critical assets like databases or sensitive data storage that attackers may target for data theft, lateral movement, or privilege escalation.
Benign Detection
Legitimate applications or administrators may perform similar enumeration activities. Security and IT operations may run audits or monitoring tasks on EC2 instances to verify configurations, track resource usage, or ensure compliance with policies.
AWS Suspicious EC2 Enumeration
Example scenarios
1. Unauthorized Access via Compromised EC2 Instance
An attacker gains unauthorized access to an EC2 instance after compromising exposed SSH credentials. After logging in, they initiate AWS API calls to enumerate the environment.
The attacker queries IAM roles, looking for elevated privileges or unused roles, and inspects the list of EC2 instances, storage volumes, and other resources.
This enumeration helps the attacker identify pathways for privilege escalation, sensitive data locations, and potential lateral movement targets.
By mapping the environment, the attacker’s next steps may involve elevating privileges or exploiting vulnerable configurations to access additional resources.
2. Misconfigured Monitoring Script in a Production Environment
A cloud operations team deploys a monitoring script to track resources within the AWS environment.
The script periodically queries EC2 instance statuses, IAM roles, and attached policies to ensure compliance with internal policies.
However, due to a misconfiguration, the script runs more frequently than intended and generates a high volume of API calls from specific EC2 instances. Vectra’s detection flags this as suspicious enumeration.
During investigation, the security team verifies the activity as legitimate but realizes the script’s frequency needs adjustment.
They update the script to reduce API call volume, ensuring compliance without triggering unnecessary alerts.
AWS Suspicious EC2 Enumeration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data exposure risk
Attackers who enumerate AWS resources may locate and access sensitive data, potentially leading to data breaches and regulatory compliance issues.
Increased attack surface
Enumeration allows attackers to identify misconfigurations and unused permissions, which they can exploit for privilege escalation and lateral movement.
Operational disruption
Unauthorized exploration of resources can disrupt normal operations, especially if attackers alter configurations or consume critical resources.
AWS Suspicious EC2 Enumeration
Steps to investigate
Verify instance profile and actions
Review the instance profile associated with the EC2 instance to check for any anomalous behavior or unusual permissions.
Analyze EC2 logs
Correlate the API requests with CloudTrail logs to identify additional suspicious activity tied to the same instance or profile.
Assess authorization
Confirm whether the actions were authorized and align with the instance’s intended function. Unauthorized activity may suggest compromise.
Remediation
If a threat is confirmed, disable the credentials linked to the instance profile, revert unauthorized configuration changes, and conduct a full investigation into potential entry points.
AWS Suspicious EC2 Enumeration
Related detections
No items found.
FAQs
What does this detection mean for my AWS environment?
This detection suggests unusual API activity on an EC2 instance, which could be part of a reconnaissance phase in a cyber-attack.
How does Vectra determine unusual API activity?
Vectra monitors API usage patterns, flagging deviations from established norms or behaviors that resemble known attack techniques.
Could legitimate users trigger this detection?
Yes, legitimate monitoring or auditing scripts might trigger this detection; however, the associated behavior will typically align with authorized activity.
What if no malicious activity is confirmed?
If benign, document the activity as authorized, and ensure policies support any legitimate enumeration performed by your operations or security teams.
What should I do if malicious activity is suspected?
Isolate the instance, disable affected credentials, and conduct a comprehensive investigation to determine the extent of compromise.
How can I prevent suspicious enumeration on EC2 instances?
Apply strict IAM policies, use monitoring to detect anomalies, and disable unneeded permissions for sensitive resources.
How does this relate to privilege escalation?
Enumeration activities often precede privilege escalation, as attackers seek misconfigurations or unused roles to gain elevated access.
What configurations should I review if this alert triggers?
Examine the instance profile’s permissions, API access logs, and the IAM policy configuration.
How is this detection related to lateral movement?
Once attackers gain knowledge of the environment, they can leverage other instances or services to spread across the network.
Which logs are most relevant for further analysis?
AWS CloudTrail logs provide valuable insights into API calls, identifying the nature of actions associated with this enumeration.