detection.wiki

Detection rules › Panther

AWS Cloudtrail Region Enabled

Severity
medium
Log types
AWS.CloudTrail
Tags
AWS, CloudTrail, Region
Reference
https://permiso.io/blog/how-threat-actors-leverage-unsupported-cloud-regions
Source
github.com/panther-labs/panther-analysis

Threat actors who successfully compromise a victim's AWS account, whether through stolen credentials, exposed access keys, exploited IAM misconfigurations, vulnerabilities in third-party applications, or the absence of Multi-Factor Authentication (MFA), can exploit unused regions as safe zones for malicious activities. These regions are often overlooked in monitoring and security setups, making them an attractive target for attackers to operate undetected.

MITRE ATT&CK coverage

TacticTechniques
StealthT1535 Unused/Unsupported Cloud Regions

Rule body yaml

AnalysisType: rule
DedupPeriodMinutes: 60
DisplayName: AWS Cloudtrail Region Enabled
Enabled: true
Filename: aws_cloudtrail_region_enabled.py
RuleID: "AWS.CloudTrail.EnableRegion"
Severity: Medium
LogTypes:
  - AWS.CloudTrail
Tags:
  - AWS
  - CloudTrail
  - Region
Reports:
    MITRE ATT&CK:
        - TA0005:T1535  # Unused/Unsupported Cloud Regions
Description: >
  Threat actors who successfully compromise a victim's AWS account, whether through stolen credentials, 
  exposed access keys, exploited IAM misconfigurations, vulnerabilities in third-party applications, 
  or the absence of Multi-Factor Authentication (MFA), can exploit unused regions as safe zones 
  for malicious activities. These regions are often overlooked in monitoring and security setups, 
  making them an attractive target for attackers to operate undetected.
Runbook: |
  Validate whether enabling the new region was authorized.  
  Revoke user privileges, review the newly enabled region for malicious activity, and disable the region.
Reference: https://permiso.io/blog/how-threat-actors-leverage-unsupported-cloud-regions
Tests:
  - Name: EnableRegion
    LogType: AWS.CloudTrail
    ExpectedResult: true
    Log:
      {
        "eventVersion": "1.08",
        "userIdentity": {
          "type": "IAMUser",
          "principalId": "EXAMPLE",
          "arn": "arn:aws:iam::123456789012:user/Alice",
          "accountId": "123456789012",
          "accessKeyId": "EXAMPLEKEY",
          "userName": "Alice"
        },
        "eventTime": "2023-10-01T12:34:56Z",
        "eventSource": "cloudtrail.amazonaws.com",
        "eventName": "EnableRegion",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "192.0.2.0",
        "userAgent": "aws-sdk-go/1.15.12 (go1.12.6; linux; amd64)",
        "requestParameters": {
          "RegionName": "us-west-2"
        },
        "responseElements": null,
        "additionalEventData": {
          "SignatureVersion": "SigV4",
          "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
          "bytesTransferredIn": 0,
          "bytesTransferredOut": 0
        },
        "requestID": "EXAMPLE123456789",
        "eventID": "EXAMPLE-1234-5678-9012-EXAMPLE",
        "readOnly": false,
        "resources": [],
        "eventType": "AwsApiCall",
        "managementEvent": false,
        "recipientAccountId": "123456789012",
        "sharedEventID": "EXAMPLE-1234-5678-9012-EXAMPLE",
        "vpcEndpointId": "vpce-1a2b3c4d"
      }
  - Name: Other Event
    LogType: AWS.CloudTrail
    ExpectedResult: false
    Log:
      {
        "eventVersion": "1.08",
        "userIdentity": {
          "type": "IAMUser",
          "principalId": "EXAMPLE",
          "arn": "arn:aws:iam::123456789012:user/Bob",
          "accountId": "123456789012",
          "accessKeyId": "EXAMPLEKEY",
          "userName": "Bob"
        },
        "eventTime": "2023-10-01T12:34:56Z",
        "eventSource": "s3.amazonaws.com",
        "eventName": "ListBucket",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "192.0.2.0",
        "userAgent": "aws-sdk-go/1.15.12 (go1.12.6; linux; amd64)",
        "requestParameters": {
          "bucketName": "example-bucket"
        },
        "responseElements": null,
        "additionalEventData": {
          "SignatureVersion": "SigV4",
          "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
          "bytesTransferredIn": 0,
          "bytesTransferredOut": 0
        },
        "requestID": "EXAMPLE123456789",
        "eventID": "EXAMPLE-1234-5678-9012-EXAMPLE",
        "readOnly": true,
        "resources": [
          {
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::example-bucket"
          }
        ],
        "eventType": "AwsApiCall",
        "managementEvent": false,
        "recipientAccountId": "123456789012",
        "sharedEventID": "EXAMPLE-1234-5678-9012-EXAMPLE",
        "vpcEndpointId": "vpce-1a2b3c4d"
      }

Detection logic

Condition

eventName eq "EnableRegion"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
eventNameeq
  • EnableRegion

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
eventName
eventSource
awsRegion
recipientAccountId
sourceIPAddress
userAgent
userIdentity
RegionNamerequestParameters.RegionName
actor_user