AWS Service Quotas Multi-Region GetServiceQuota Requests
editAWS Service Quotas Multi-Region GetServiceQuota
Requests
editIdentifies when a single AWS resource is making GetServiceQuota
API calls for the EC2 service quota L-1216C47A in more than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
Rule type: esql
Rule indices: None
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: AWS Service Quotas
- Use Case: Threat Detection
- Tactic: Discovery
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfrom logs-aws.cloudtrail-* // filter for GetServiceQuota API calls | where event.dataset == "aws.cloudtrail" and event.provider = "servicequotas.amazonaws.com" and event.action == "GetServiceQuota" // truncate the timestamp to a 30-second window | eval target_time_window = DATE_TRUNC(30 seconds, @timestamp) // pre-process the request parameters to extract the service code and quota code | dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}" // filter for EC2 service quota L-1216C47A (vCPU on-demand instances) | where service_code == "ec2" and quota_code == "L-1216C47A" // count the number of unique regions and total API calls within the 30-second window | stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window | where region_count >= 10 and window_count >= 10 // sort the results by time windows in descending order | sort target_time_window desc
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Cloud Infrastructure Discovery
- ID: T1580
- Reference URL: https://attack.mitre.org/techniques/T1580/