AWS API calls indicating evasion
Description
AlphaSOC detected the use of AWS APIs indicating potential evasion. Detected actions may include changing or disabling logging settings, Access Control Lists (ACLs), and security groups. This pattern of behavior may indicate that threat actors are trying to disable security controls within the AWS environment to avoid detection.
Impact
Successful evasion of AWS security controls can lead to prolonged unauthorized access. Threat actors may be able to operate undetected within the AWS environment and potentially escalate privileges, access sensitive data, or launch further attacks.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Verify if the actions were authorized. If unauthorized, review any changes made, re-enable logging, revoke the associated access keys, and reset IAM credentials. To avoid future incidents, always grant least privilage access and configure default account policy to enable logging.
Known False Positives
-
Legitimate security testing or penetration testing activities authorized by the organization
-
Routine administrative tasks that involve modifying security settings for valid operational reasons
Further Reading