AWS API calls invoked by known attacking tools characteristics

  • Published on Aug 12, 2024
Prev Next

Attack technique

Technique name: AWS API Calls Invoked By Known Attacking Tools Characteristics

MITRE ATT&CK

  • Tactic: Discovery
  • Technique: Cloud Infrastructure Discovery (T1580)

Technique description
The User-Agent is a header in a HTTP/S request that identifies the software or browser making the request to a server. This header typically includes information of the operating system and device type on which the software or browser is running.
Attackers frequently use open-source attacking tools, many of these tools include their project name in the User-Agent string, this provides an opportunity to detect the presence of these tools based on their User-Agent string. Additionally, some tools or scripts may include description of the Operating System in the User-Agent string, allowing the detection of environments known for offensive security activities(e.g, Kali Linux, Parrot OS, BlackArch, etc.).

Threat hunting theses breakdown

AWS API Calls Invoked By Known Attacking Tools Characteristics

Relevant data sources: AWS Event Statistics (threat hunting enrichment, based on CloudTrail)

Thesis explanation
The thesis looks for User Agents strings associated with known attack tools, such as Kali Linux, Scout Suite, Pacu and others, to detect potential threats.

Blind spots

  • The attacker uses a tool that fakes a common user agent.
  • The attacker modifies a tool and edits the user agent string.

Recommended investigation flow

  • Look into the User Agent string.
    • Investigate what tool was used.
    • Is the tool commonly used in your organization?
  • Look into the behavior of the tool, based on events occurring in the past, consider it may be an auto-scheduled task.
  • Investigate the employee identity who made the request
    • Is he a part of the security team?
    • Look into other recent activities performed by the employee to identify any unusual behavior.
  • Investigate the IP Address which initiated the request.
    • With what identity did he authenticate with?
    • Did it authenticate with other accounts?
  • Investigate the API calls made by the Identity that initiated the request.
    • What API calls did it make?
    • Is there a significant difference between User-Agents used by him in the past and now?

Hunting Queries

GitHub