Skip to main content

Suspicious use of AWS APIs indicating persistence

ID:aws_persistence_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected unexpected use of AWS APIs that may indicate attempts to establish persistence within the cloud environment. Threat actors may manipulate cloud accounts to maintain access to victim environments by modifying or creating new accounts, or by attempting to generate additional access keys or tokens to prevent termination of their session. By this they can return to the account later or to continue their activities.

Impact

Successful persistence in AWS environments can lead to long-term unauthorized access, allowing threat actors to perform various malicious activities such as data exfiltration, resource abuse, or further lateral movement.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review what changes the threat actor has made to maintain their presence on the system. Revoke any privileges granted and lock down any accounts created by the particular user. Block the source of the threat actor's activity.

Known False Positives

  • Legitimate administrative activities involving IAM user or role management
  • Automated scripts or tools used for routine account maintenance or provisioning
  • Third-party services integrated with AWS that require specific API permissions
  • Planned security exercises or penetration testing activities