AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-CLOUD-DISCOVERY-1580-7842 Alert Time: 2024-02-23 10:30:22 EST Severity: HIGH (85/100) Source: AWS GuardDuty Rule: “Unauthorized API Calls – Cloud Infrastructure Discovery” MITRE ATT&CK: T1580 – Cloud Infrastructure Discovery
Alert Details:
Detection: Multiple Describe/List API calls from unusual source
AWS Account: 123456789012 (Production) IAM User: svc_ci_cd (CI/CD Service Account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 10:15-10:30 EST
API Calls:
10:15:22 – ec2:DescribeInstances (list all EC2 instances)
10:15:45 – ec2:DescribeSecurityGroups (list all security groups)
10:16:12 – ec2:DescribeVpcs (list all VPCs)
10:16:38 – ec2:DescribeSubnets (list all subnets)
10:17:05 – ec2:DescribeRouteTables (list all route tables)
10:17:33 – ec2:DescribeInternetGateways (list IGWs)
10:18:01 – s3:ListBuckets (list all S3 buckets)
10:18:28 – s3:GetBucketLocation (for each bucket)
10:19:15 – rds:DescribeDBInstances (list all RDS instances)
10:19:45 – lambda:ListFunctions (list all Lambda functions)
10:20:12 – iam:ListUsers (list all IAM users)
10:20:38 – iam:ListRoles (list all IAM roles)
… (total 87 API calls)
Detection Logic:
Source IP outside expected region (Bulgaria, not US)
User svc_ci_cd normally only used from US
API calls are discovery-focused (Describe/List)
Volume of calls (87 in 15 minutes) exceeds normal
No write/modify operations (consistent with discovery)
Additional Context:
svc_ci_cd has read-only permissions (by design)
Credentials may be compromised
Discovery phase before potential attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed unauthorized discovery API calls
2. Immediate Action
Rotate access keys
AWS IAM
Access keys for svc_ci_cd rotated
3. User Account
Disable temporary credentials
AWS IAM
Credentials revoked
4. IP Blocking
Block attacker IP
AWS WAF, Security Groups
IP 185.143.221[.]89 blocked
5. Impact Assessment
Determine what was discovered
CloudTrail Logs
Attacker enumerated all resources
6. Threat Hunting
Check for other unauthorized access
GuardDuty, CloudTrail
No other suspicious activity
Jira Incident Report
Ticket: SOC-2024-120 Summary: T1580 – Cloud Infrastructure Discovery via Compromised CI/CD Credentials Status: RESOLVED Resolution: MALICIOUS – Credentials Rotated Priority: P2 – MEDIUM Labels: T1580, cloud-discovery, aws, guardduty, compromised-credentials, ci-cd Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Unauthorized API Calls – Cloud Infrastructure Discovery”.
AWS Account: 123456789012 (Production).
IAM User: svc_ci_cd (CI/CD service account).
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-02-23 10:30 EST.
Technique: MITRE ATT&CK T1580 – Cloud Infrastructure Discovery.
2. Technical Analysis:
Attack Chain:
09:30 – CI/CD credentials compromised (source unknown – possibly GitHub leak)
09:45 – Attacker tests credentials from Bulgaria IP
10:15-10:30 – Attacker performs comprehensive discovery
10:30 – GuardDuty detects anomalous pattern
Discovery Performed:
EC2: 47 instances across 3 regions
Security Groups: 84 security groups with rules
VPCs: 12 VPCs with subnets, route tables
S3: 156 buckets with locations
RDS: 23 database instances
Lambda: 78 functions
IAM: 342 users, 156 roles
Total: Full inventory of cloud infrastructure
Credentials Used:
User: svc_ci_cd (CI/CD service account)
Permissions: ReadOnly (by design)
Access Keys: AKIAxxxxxxxxxxxxxxxx (now rotated)
Attacker Intent:
Complete infrastructure mapping
Identifying high-value targets (databases, buckets with sensitive data)
Reconnaissance for future attack
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
10:15-10:30 – Discovery performed
10:30 – GuardDuty alert
10:32 – SOC investigates
10:35 – Access keys rotated
10:36 – Attacker IP blocked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
AWS:
– IAM User: svc_ci_cd
– Access Keys: AKIAxxxxxxxxxxxxxxxx (rotated)
API Calls:
– ec2:Describe*, s3:List*, rds:Describe*, iam:List*, lambda:List*
4. Containment Actions:
Immediate Actions:
Rotated access keys for svc_ci_cd.
Revoked any active sessions.
Blocked attacker IP at AWS WAF and security groups.
Impact Assessment:
No write/modify operations performed.
No data accessed (read-only permissions only).
No resources created/modified/deleted.
Credential Leak Investigation:
Found CI/CD credentials in public GitHub repo (developer mistake).
Repo made private; credentials removed.
Developer counseled.
5. Root Cause Analysis:
Primary Cause: CI/CD credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning in place.
Developer unaware of credential exposure.
Service account had broad read-only access.
6. Business Impact:
Operational Impact: None.
Security Impact: Full infrastructure inventory exposed to attacker.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Credentials rotated.
Attacker blocked.
GitHub repo secured.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced MFA for all AWS users (including service accounts? – not possible, but added guardrails).
Restricted service account permissions to least privilege.
Deployed GuardDuty with automated response.
8. Conclusion:
An attacker discovered CI/CD credentials in a public GitHub repository and used them to perform comprehensive discovery of our AWS infrastructure. GuardDuty detected the anomalous API calls from an unusual location. Credentials were rotated before any write operations could occur.
Closure Rationale: Credentials rotated; attacker blocked; secret scanning implemented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 11:30 EST
End of Batch 16
Ready for your next batch of prompts whenever you are.
Batch 17: Discovery & Cloud Reconnaissance Incident Reports
Here are the next 5 detailed SOC incident reports.