Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects AWS backup service enumeration activities performed across multiple regions using long-term access keys.

Strategy

This rule monitors AWS CloudTrail events for backup service enumeration API calls including ListProtectedResources, ListBackupSelections, ListBackupPlans, and ListBackupVaults when performed by long-term access keys across multiple regions.

AWS Backup enumeration is a discovery technique that enables attackers to map an organization’s infrastructure, identify backed-up resources, understand backup retention policies, and discover the breadth of services in use. This approach is particularly valuable for attackers as it provides comprehensive visibility into production resources without requiring enumeration of individual AWS services, which may be more heavily monitored.

Triage & Response

• Verify if {{@userIdentity.arn}} has legitimate business reasons to enumerate AWS backup resources across multiple regions and determine if this represents authorized administrative activity.
• Examine the timeline of backup enumeration calls to identify if the activity follows suspicious patterns such as rapid successive calls or unusual timing outside business hours.
• Review other API calls made by the same access key to identify additional reconnaissance activities or attempts to access discovered resources.
• Check if the enumerated backup resources have been accessed, modified, or if any backup policies have been changed following the enumeration activity.
• Analyze the source IP addresses and user agent strings associated with these API calls to determine if they originate from expected administrative locations or tools.