AWS 服务配额多区域 GetServiceQuota 请求

编辑

AWS 服务配额多区域 GetServiceQuota 请求

编辑

当单个 AWS 资源在 30 秒窗口内为 EC2 服务配额 L-1216C47A 发出超过 10 个区域的 GetServiceQuota API 调用时,将进行识别。配额代码 L-1216C47A 代表按需实例,攻击者使用这些实例来部署恶意软件和挖掘加密货币。这可能表明潜在的威胁行为者正在尝试使用受损凭据或受损实例来发现跨多个区域的 AWS 基础设施。

规则类型: esql

规则索引: 无

严重性: 低

风险评分: 21

运行频率: 5 分钟

搜索索引的时间范围: now-9m (日期数学格式,另请参阅 额外的回溯时间)

每次执行的最大警报数: 100

参考资料:

标签:

  • 域:云
  • 数据源:AWS
  • 数据源:Amazon Web Services
  • 数据源:AWS 服务配额
  • 用例:威胁检测
  • 策略:发现

版本: 2

规则作者:

  • Elastic

规则许可证: Elastic License v2

规则查询

编辑
from logs-aws.cloudtrail-*

// filter for GetServiceQuota API calls
| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"

// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)

// pre-process the request parameters to extract the service code and quota code
| dissect aws.cloudtrail.request_parameters "{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}"

// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
| where service_code == "ec2" and quota_code == "L-1216C47A"

// keep only the relevant fields
| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region, service_code, quota_code

// count the number of unique regions and total API calls within the 30-second window
| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn

// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where region_count >= 10 and window_count >= 10

// sort the results by time windows in descending order
| sort target_time_window desc

框架: MITRE ATT&CKTM