Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1535-unused-or-unsupported-cloud-regions

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when there is an attempt to invite an AWS account to an AWS organization.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to invite an AWS account to an AWS organization. An attacker may attempt add an attacker controlled AWS account to a compromised AWS organization to evade the existing defenses of the organization.

This operation can be called only from the organization’s management account.

Triage and response

1. Determine if {{@userIdentity.arn}} should have made a {{@evt.name}} API call.
   • Refer to @requestParameters.target.id to retrieve the account invited. This maybe in the form of an AWS account ID or email address.
   • Attempt to confirm the action either with the identity making the change or search for a ticket associated with the change.
   • Investigate other activities performed by the identity {{@userIdentity.arn}} using the Cloud SIEM - User Investigation dashboard.
2. If the API call does not appear to be legitimate, begin your organization’s incident response process and investigate.
   • Follow AWS recommendations for containing the potentially compromised identity, if appropriate.
   • Remove the potentially malicious account from your AWS organization.