Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1555-credentials-from-password-stores

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when a user enumerates AWS Secrets Manager secrets across multiple regions and then retrieves secret values.

Strategy

This rule monitors AWS CloudTrail events for ListSecrets API calls spanning multiple regions and subsequent GetSecretValue API calls by the same user identity. This behavior pattern is concerning because legitimate users typically work within specific regions and don’t require broad secret enumeration across multiple geographic locations before accessing secrets. Attackers often perform discovery to map available secrets across an organization’s AWS infrastructure before extracting valuable credentials.

Triage & Response

• Determine if {{@userIdentity.arn}} should be performing secret enumeration activities across multiple AWS regions.
• Review the specific regions where ListSecrets operations occurred to determine if cross-region access aligns with the user’s normal responsibilities.
• Identify which secrets were retrieved through GetSecretValue and assess their sensitivity and business criticality.
• Check for any other suspicious activities from the same user identity, such as unusual resource access or privilege escalation attempts.
• Verify if the user identity has been recently compromised by reviewing authentication logs and access patterns leading up to the secret enumeration.
• Determine if the retrieved secrets have been used for unauthorized access to other AWS services or external systems.