Use of AWS APIs indicating persistence
Description
AlphaSOC detected unexpected use of AWS APIs that may indicate attempts to establish persistence within the cloud environment. Threat actors may manipulate cloud accounts to maintain access to victim environments by modifying or creating new accounts, or by attempting to generate additional access keys or tokens to prevent termination of their session. By this they can return to the account later or to continue their activities.
Impact
Successful persistence in AWS environments can lead to long-term unauthorized access, allowing threat actors to perform various malicious activities such as data exfiltration, resource abuse, or further lateral movement.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review what changes the threat actor has made to maintain their presence on the system. Revoke any privileges granted and lock down any accounts created by the particular user. Block the source of the threat actor's activity.
Known False Positives
- Legitimate administrative activities involving IAM user or role management
- Automated scripts or tools used for routine account maintenance or provisioning
- Third-party services integrated with AWS that require specific API permissions
- Planned security exercises or penetration testing activities