Detect Cloud API in Splunk
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.009 Cloud API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/009/
SPL Detection Query
index=aws sourcetype="aws:cloudtrail"
(eventName="CreateUser" OR eventName="AttachUserPolicy" OR eventName="CreateAccessKey" OR eventName="CreateRole" OR eventName="AssumeRole" OR eventName="StopLogging" OR eventName="DeleteTrail" OR eventName="PutEventSelectors" OR eventName="RunInstances" OR eventName="CreateFunction" OR eventName="UpdateFunctionCode" OR eventName="CreateKeyPair" OR eventName="DisableGuardDuty" OR eventName="DeleteDetector")
| eval IAMChange=if(match(eventName, "(CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole)"), 1, 0)
| eval SecurityDisable=if(match(eventName, "(StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector)"), 1, 0)
| eval PrivEsc=if(match(eventName, "(AssumeRole|AttachUserPolicy)"), 1, 0)
| eval ComputeCreate=if(match(eventName, "(RunInstances|CreateFunction|UpdateFunctionCode)"), 1, 0)
| eval SuspicionScore=IAMChange*2 + SecurityDisable*3 + PrivEsc*2 + ComputeCreate
| where SuspicionScore > 0
| table _time, eventName, userIdentity.arn, sourceIPAddress, awsRegion, errorCode, IAMChange, SecurityDisable, PrivEsc, ComputeCreate, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious AWS API calls from CloudTrail logs. Evaluates for IAM changes, security logging disabling, privilege escalation via role assumption, and compute resource creation. Security disabling weighted highest (3x) as it indicates active defense evasion. Covers API calls made via CLI, SDK, or console.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Cloud administrators creating IAM users and roles during onboarding
- Infrastructure-as-Code tools (Terraform, CloudFormation) provisioning resources
- CI/CD pipelines deploying Lambda functions or compute resources
Other platforms for T1059.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS IAM User Enumeration via CLI
Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.
- Test 2Azure Role Assignment Enumeration
Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.
- Test 3AWS CloudTrail Status Check
Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.
References (6)
- https://attack.mitre.org/techniques/T1059/009/
- https://github.com/Azure/azure-powershell
- https://docs.aws.amazon.com/cli/latest/reference/
- https://cloud.google.com/sdk/gcloud/reference
- https://github.com/RhinoSecurityLabs/pacu
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.