› › ›

AWS 服务配额多区域 GetServiceQuota 请求

AWS 服务配额多区域 `GetServiceQuota` 请求

识别单个 AWS 资源在 30 秒内对 EC2 服务配额 L-1216C47A 发出超过 10 个区域的 GetServiceQuota API 调用。配额代码 L-1216C47A 代表按需实例，攻击者使用这些实例部署恶意软件和挖掘加密货币。这可能表明潜在的威胁行为者正在尝试使用被入侵的凭据或被入侵的实例来发现跨多个区域的 AWS 基础设施。

规则类型: esql

规则索引: 无

严重性: 低

风险评分: 21

每隔: 5 分钟运行

搜索索引自: now-9m (日期数学格式，另请参见 额外回溯时间)

每次执行的最大告警数: 100

参考资料:

标签:

领域：云
数据来源：AWS
数据来源：Amazon Web Services
数据来源：AWS 服务配额
用例：威胁检测
策略：发现

版本: 2

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

from logs-aws.cloudtrail-*

// filter for GetServiceQuota API calls
| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"

// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)

// pre-process the request parameters to extract the service code and quota code
| dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}"

// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
| where service_code == "ec2" and quota_code == "L-1216C47A"

// keep only the relevant fields
| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region, service_code, quota_code

// count the number of unique regions and total API calls within the 30-second window
| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn

// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where region_count >= 10 and window_count >= 10

// sort the results by time windows in descending order
| sort target_time_window desc

框架: MITRE ATT&CK^TM

策略
- 名称：发现
- ID：TA0007
- 参考网址：https://attack.mitre.org/tactics/TA0007/
技术
- 名称：云基础设施发现
- ID：T1580
- 参考网址：https://attack.mitre.org/techniques/T1580/

« AWS STS 角色链 » AWS 使用联合用户单因素控制台登录 »