title: Potential Network Enumeration on AWS
id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
status: experimental
description: Detects network enumeration performed on AWS.
references:
    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
    - attack.discovery
    - attack.t1016
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName:
            - 'DescribeCarrierGateways'
            - 'DescribeVpcEndpointConnectionNotifications'
            - 'DescribeTransitGatewayMulticastDomains'
            - 'DescribeClientVpnRoutes'
            - 'DescribeDhcpOptions'
            - 'GetTransitGatewayRouteTableAssociations'
    timeframe: 10m
    condition: selection | count() > 5
falsepositives:
    - Unknown
level: low