AWS Organization Discovery

AWS Organization Discovery

Detection overview

Triggers

  • A user lists AWS account aliases via ListAliases or retrieves details for the AWS organization via DescribeOrganization

Possible Root Causes

  • An attacker is enumerating details on the AWS organization to further their attack planning and next steps.
  • An administrator or user is retrieving organization details as part of their normal duties.
  • Automation in the environment is collecting these details to support additional activities.

Business Impact

  • Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Organization Discovery

Possible root causes

Malicious Detection

Benign Detection

AWS Organization Discovery

Example scenarios

AWS Organization Discovery

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Organization Discovery

Steps to investigate

AWS Organization Discovery

MITRE ATT&CK techniques covered

AWS Organization Discovery

Related detections

No items found.

FAQs