AWS CLI Command with Custom Endpoint URL

Detects the use of the AWS CLI with the --endpoint-url argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.

Rule type: new_terms

Rule indices:

logs-endpoint.events.process-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://sysdig.com/blog/scarleteel-2-0/

Tags:

Data Source: Elastic Defend
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Web Service
- ID: T1102
- Reference URL: https://attack.mitre.org/techniques/T1102/

« AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session AWS CloudTrail Log Created »