Triggers
- An AWS control-plane API was observed programmatically enumerating the configuration details associated with the Virtual Private Network (VPC) such as Network Interfaces, Gateways, Network ACLs and Route Tables.
Possible Root Causes
- An attacker may be actively enumerating how networks in the environment are configured in order to further their attack.
- An administrator may intentionally be enumerating network configurations as part of their normal duties.
Business Impact
- Recon may indicate the presence of an adversary gaining details necessary to support additional malicious activities within the environment. A successful attack may yield information that can be used by an adversary to mount a campaign within the AWS Environment.
Steps to Verify
- Investigate the Principal that performed the action for other signs of malicious activity.
- Investigate if any modifications were made to the enumerated VPCs such as changes to Network Interfaces, Gateways, Network ACLs or Routing Tables.
- Validate that any changes were authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration change:
- Revert configuration change.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and the scope of impacted resources.