AWS Network Configuration Discovery
Detection overview
Triggers
- An AWS control-plane API was observed programmatically enumerating the configuration details associated with the Virtual Private Network (VPC) such as Network Interfaces, Gateways, Network ACLs and Route Tables.
Possible Root Causes
- An attacker may be actively enumerating how networks in the environment are configured in order to further their attack.
- An administrator may intentionally be enumerating network configurations as part of their normal duties.
Business Impact
- Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment. A successful attack may yield information that can be used by an adversary to mount a campaign within the AWS Environment.
Steps to Verify
- Investigate the Principal that performed the action for other signs of malicious activity.
- Investigate if any modifications were made to the enumerated VPCs such as changes to Network Interfaces, Gateways, Network ACLs or Routing Tables.
- Validate that any changes were authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration change:
- Revert configuration change.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.
AWS Network Configuration Discovery
Possible root causes
Malicious Detection
Benign Detection
AWS Network Configuration Discovery
Example scenarios
AWS Network Configuration Discovery
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Network Configuration Discovery
Steps to investigate
AWS Network Configuration Discovery
Related detections
No items found.