AWS CLI Command with Custom Endpoint URL

edit

Detects the use of the AWS CLI with the --endpoint-url argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.

Rule type: new_terms

Rule indices:

  • logs-endpoint.events.process-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend
  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Command and Control

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"

Framework: MITRE ATT&CKTM