Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR). >
NEW
JUST PUBLISHED

Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR).  >

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

AWS Suspicious EC2 Enumeration

AWS Suspicious EC2 Enumeration
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

This detection flags unusual API activity on an AWS EC2 instance that may suggest an adversary is attempting to learn about or probe the cloud environment. This enumeration could be associated with reconnaissance or privilege escalation activities that allow an attacker to gain critical details on resources and configurations, potentially aiding in further stages of an attack.

Triggers

  • Credential was observed performing a set of anomalous API requests that can be associated with the discovery or subsequent phases of an attack.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities.
  • A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

  • Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspicious EC2 Enumeration

Possible root causes

Malicious Detection

Attackers who gain access to an EC2 instance may enumerate environment details to understand the account’s configuration. This knowledge helps adversaries plan escalation strategies by identifying users, privileges, and available services. Reconnaissance also aids in discovering critical assets like databases or sensitive data storage that attackers may target for data theft, lateral movement, or privilege escalation.

Benign Detection

Legitimate applications or administrators may perform similar enumeration activities. Security and IT operations may run audits or monitoring tasks on EC2 instances to verify configurations, track resource usage, or ensure compliance with policies.

AWS Suspicious EC2 Enumeration

Example scenarios

1. Unauthorized Access via Compromised EC2 Instance

An attacker gains unauthorized access to an EC2 instance after compromising exposed SSH credentials. After logging in, they initiate AWS API calls to enumerate the environment.

The attacker queries IAM roles, looking for elevated privileges or unused roles, and inspects the list of EC2 instances, storage volumes, and other resources.

This enumeration helps the attacker identify pathways for privilege escalation, sensitive data locations, and potential lateral movement targets.

By mapping the environment, the attacker’s next steps may involve elevating privileges or exploiting vulnerable configurations to access additional resources.

2. Misconfigured Monitoring Script in a Production Environment

A cloud operations team deploys a monitoring script to track resources within the AWS environment.

The script periodically queries EC2 instance statuses, IAM roles, and attached policies to ensure compliance with internal policies.

However, due to a misconfiguration, the script runs more frequently than intended and generates a high volume of API calls from specific EC2 instances. Vectra’s detection flags this as suspicious enumeration.

During investigation, the security team verifies the activity as legitimate but realizes the script’s frequency needs adjustment.

They update the script to reduce API call volume, ensuring compliance without triggering unnecessary alerts.

AWS Suspicious EC2 Enumeration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Data exposure risk

Attackers who enumerate AWS resources may locate and access sensitive data, potentially leading to data breaches and regulatory compliance issues.

Increased attack surface

Enumeration allows attackers to identify misconfigurations and unused permissions, which they can exploit for privilege escalation and lateral movement.

Operational disruption

Unauthorized exploration of resources can disrupt normal operations, especially if attackers alter configurations or consume critical resources.

AWS Suspicious EC2 Enumeration

Steps to investigate

Verify instance profile and actions

Review the instance profile associated with the EC2 instance to check for any anomalous behavior or unusual permissions.

Analyze EC2 logs

Correlate the API requests with CloudTrail logs to identify additional suspicious activity tied to the same instance or profile.

Assess authorization

Confirm whether the actions were authorized and align with the instance’s intended function. Unauthorized activity may suggest compromise.

Remediation

If a threat is confirmed, disable the credentials linked to the instance profile, revert unauthorized configuration changes, and conduct a full investigation into potential entry points.

AWS Suspicious EC2 Enumeration

MITRE ATT&CK techniques covered

Cloud Service Discovery

T1526
AWS Suspicious EC2 Enumeration

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What does this detection mean for my AWS environment?

This detection suggests unusual API activity on an EC2 instance, which could be part of a reconnaissance phase in a cyber-attack.

Could legitimate users trigger this detection?

Yes, legitimate monitoring or auditing scripts might trigger this detection; however, the associated behavior will typically align with authorized activity.

What should I do if malicious activity is suspected?

Isolate the instance, disable affected credentials, and conduct a comprehensive investigation to determine the extent of compromise.

How does this relate to privilege escalation?

Enumeration activities often precede privilege escalation, as attackers seek misconfigurations or unused roles to gain elevated access.

How is this detection related to lateral movement?

Once attackers gain knowledge of the environment, they can leverage other instances or services to spread across the network.

How does Vectra determine unusual API activity?

Vectra monitors API usage patterns, flagging deviations from established norms or behaviors that resemble known attack techniques.

What if no malicious activity is confirmed?

If benign, document the activity as authorized, and ensure policies support any legitimate enumeration performed by your operations or security teams.

How can I prevent suspicious enumeration on EC2 instances?

Apply strict IAM policies, use monitoring to detect anomalies, and disable unneeded permissions for sensitive resources.

What configurations should I review if this alert triggers?

Examine the instance profile’s permissions, API access logs, and the IAM policy configuration.

Which logs are most relevant for further analysis?

AWS CloudTrail logs provide valuable insights into API calls, identifying the nature of actions associated with this enumeration.