AWS Suspicious GetCallerIdentity Invoked from Unusual Characteristics

  • Updated on Nov 17, 2024
  • Published on Nov 17, 2024
Prev Next

Attack technique

Technique name: AWS API Calls Invoked By Known Attacking Tools Characteristics


MITRE ATT&CK

  • Tactic: Discovery
  • Technique: System Owner/User Discovery (T1033)



Technique description
The GetCallerIdentity API call in AWS is used to retrieve details about the caller, including the AWS account, ARN, and IAM role in use. While legitimate applications may occasionally invoke this API to confirm permissions or verify identities, malicious actors also frequently use it to gather information about compromised credentials and validate access within the environment.
By monitoring and analyzing anomalies in GetCallerIdentity usage, such as unusual IP addresses, User-Agent strings, and unexpected regions, defenders can identify and mitigate potential discovery attempts.

Threat hunting theses breakdown

AWS Suspicious GetCallerIdentity Invoked from Unusual Characteristics

Relevant data sources: AWS CloudTrail


Thesis explanation
The thesis analyzes GetCallerIdentity API calls for anomalies by examining unusual IP addresses, User-Agent strings, and region changes to detect potential suspicious activity.


Blind spots

  • The API Call originates from an AssumedRole identity type.
  • The attacker modifies the User-Agent string to mimic commonly used organizational identifiers (Github Actions\HashiCorp\JS Promises).
  • The attacker’s IP address has become familiar within the organization and is included in the ORGANIZATION_IP table.



Recommended investigation flow

  • Look into the User Agent string.
    • Is the User Agent commonly used in your organization?
    • Is the User Agent commonly used by the ARN?
  • Look into the region of this API Call.
    • Is it the commonly used region by the ARN?
    • Was there an unusual region change by the ARN + Source IP?
  • Investigate the IP Address which initiated the request.
    • Is it an AWS IP?
    • What other API calls has it made?
    • Did it authenticate with other accounts?
    • Is it present in other data sources?
  • Investigate the API calls made by the Identity that initiated the request.
    • What API calls did it make?
    • Did it commonly call the GetCallerIdentity API?
    • Is there a significant difference between User-Agents used by him in the past and now?

Hunting Queries

GitHub