Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1578-modify-cloud-compute-infrastructure

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an unusual AWS identity requests a limit increase.

Strategy

Monitor Cloudtrail for CreateCase API calls within AWS Support that are explicitly requesting a service limit increase. These calls are typically made when current service limits are nearing or exceeding usage thresholds. An attacker can abuse this to increase the amount of resources at their disposal.

Triage and response

1. Determine if the API call: {{@evt.name}} should have been made by the user: {{@userIdentity.arn}} from this IP address: {{@network.client.ip}} .
2. If the action is legitimate, consider including the user in a suppression list. See [Best practices for creating detection rules with Datadog Cloud SIEM][3] for more information.
3. If the action shouldn’t have happened:
   • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
   • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
   • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
4. If the results of the triage indicates that an attacker has taken the action, initiate your company’s incident response process, as well as an investigation.