Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR). >
NEW
JUST PUBLISHED

Vectra AI is named a Leader in the 2025 Gartner Magic Quadrant for Network Detection and Response (NDR).  >

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

AWS Suspect Escalation Reconnaissance

AWS Suspect Escalation Reconnaissance
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The AWS Suspect Escalation Reconnaissance detection identifies unusual or unauthorized attempts to gain visibility into AWS Identity and Access Management (IAM) roles, permissions, and access keys. This activity often precedes privilege escalation attacks, where attackers aim to determine potential escalation paths or abuse misconfigured permissions for unauthorized access. By flagging suspicious reconnaissance behavior, this detection helps security teams intercept malicious actors before they gain elevated access to critical cloud resources.

Triggers

  • Credential was observed performing a set of unusual API requests that can be associated with the discovery or subsequent phase of an attack.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities,
  • A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

  • Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Escalation Reconnaissance

Possible root causes

Malicious Detection

Malicious actors performing AWS suspect escalation reconnaissance aim to identify vulnerabilities in IAM permissions. This can include searching for over-permissive roles, roles with privileges that allow privilege escalation (e.g., iam:PassRole or sts:AssumeRole), or access keys with higher-than-necessary privileges. Attackers often use this information to gain unauthorized access to critical resources, execute lateral movement, or escalate privileges to compromise the cloud environment entirely. Tools like AWS CLI, SDKs, or third-party reconnaissance tools are often employed to automate this discovery process.

Benign Detection

In legitimate scenarios, AWS administrators or DevOps engineers may engage in IAM role and policy enumeration as part of routine audits or compliance checks. For instance, querying IAM roles and policies is common during role-based access reviews, permissions cleanup, or while configuring and validating cloud infrastructure. Such activities, although valid, could resemble reconnaissance behavior and may inadvertently trigger the detection.

AWS Suspect Escalation Reconnaissance

Example scenarios

Malicious scenario: Attacker probing IAM roles

An attacker compromises AWS access keys through phishing and begins querying IAM roles and attached policies using ListRoles and GetRolePolicy. This detection triggers, highlighting the reconnaissance activity before the attacker identifies and exploits a vulnerable privilege escalation path.

Benign scenario: Admin performing compliance checks

A cloud administrator conducts an IAM policy review to identify and clean up overly permissive roles. The admin uses AWS CLI to query policies and roles for a detailed audit. This legitimate activity triggers the detection due to its similarity to attacker reconnaissance.

AWS Suspect Escalation Reconnaissance

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Compromise of critical resources

Attackers identifying misconfigured roles may escalate privileges and gain unauthorized access to sensitive data or services.

Regulatory and compliance risk

A breach resulting from IAM privilege misuse can expose sensitive data, potentially leading to non-compliance with regulations like GDPR or HIPAA.

Operational disruption

Privilege escalation can enable attackers to modify configurations or disrupt operations, potentially impacting business continuity.

AWS Suspect Escalation Reconnaissance

Steps to investigate

Analyze the actor’s activity

Investigate the sequence of actions that led to this detection. Focus on API calls or IAM-related queries associated with the suspicious actor.

Correlate with existing accounts or roles

Determine whether the detected activity is tied to a known AWS IAM user, role, or service account. Confirm whether the associated credentials are valid.

Inspect permissions and policies

Review the IAM permissions of the roles or users being queried. Look for over-permissive policies or configurations that could enable privilege escalation.

Identify anomalies in activity timing or patterns

Check whether the detected activity occurred outside normal business hours, involved unauthorized IPs, or aligns with known attacker TTPs (Tactics, Techniques, and Procedures).

AWS Suspect Escalation Reconnaissance

MITRE ATT&CK techniques covered

Permission Groups Discovery

T1069
AWS Suspect Escalation Reconnaissance

Related detections

AWS Suspect Privilege Escalation

AWS User Permissions Enumeration

AWS S3 Enumeration

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs