Skip to main content

AWS Elastic IP address transfer to an unknown external account

ID:aws_ip_transfer_unknown
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0042:T1583

Description

AlphaSOC detected the transfer of an AWS Elastic IP (EIP) address to an unknown external account. EIP addresses are static public IPv4 addresses designed for dynamic cloud computing. Transferring these addresses to unknown accounts may indicate that threat actors are attempting to acquire infrastructure that can be used during the attack.

Impact

Threat actors can associate an EIP with an EC2 instance to host command and control (C2) servers or malicious websites, such as phishing pages or fake login forms.

Severity

SeverityCondition
Medium
AWS Elastic IP address transfer to an unknown external account

Investigation and Remediation

Review the AWS CloudTrail logs to identify the user or role responsible for the transfer. Change the credentials of the account responsible for the transfer and ensure that no unauthorized accounts have been added to your organization or granted permissions to perform actions such as EIP transfers.

Known False Positives

  • Authorized EIP transfer during account restructuring or migration