FOCUS MODE
EXTRACT IOC
Threat Research

Rapid7 MDR Supports AWS GuardDuty’s New Attack Sequence Alerts

Rapid7
Rapid7 MDR Supports AWS GuardDuty’s New Attack Sequence Alerts
AWS GuardDuty has introduced two new alerts—”Potential Credential Compromise” and “Potential S3 Data Compromise”—to enhance threat detection by correlating multiple signals over time, which aids in detecting sophisticated attacks. These improvements allow for rapid response to potential threats, supported by Rapid7’s Managed Threat Complete and InsightCloudSec services. Affected: AWS environments, Security Operations Centers (SOC), Cloud security users

Keypoints :

  • AWS GuardDuty has launched two new alerts for enhanced threat detection: “Potential Credential Compromise” and “Potential S3 Data Compromise.”
  • These alerts offer deeper insights by correlating multiple signals across various contexts, unlike traditional single-event alerts.
  • New alerts help detect sophisticated attack strategies such as persistence, privilege escalation, and data exfiltration.
  • Rapid7’s Managed Threat Complete supports AWS GuardDuty by providing alert triage, remediation recommendations, and response actions.
  • The IAM Compromised Credentials alert identifies potential credential theft through suspicious activities and connections.
  • The S3 Compromised Data alert focuses on detecting data breach attempts targeting S3 buckets.
  • Both alerts correlate various suspicious activities, increasing efficiency in threat detection and response for organizations.
  • Rapid7 Exposure Command enriches alerts from third-party detection engines to accelerate SOC investigation and response.

MITRE Techniques :

  • TA0001: Initial Access – Detecting IAM Credential Abuse through multiple suspicious activities.
  • TA0005: Privilege Escalation – Monitoring unauthorized privilege escalation attempts in AWS environments.
  • TA0010: Exfiltration – Tracking potential data exfiltration attempts by correlating suspicious S3 bucket access patterns.
  • TA0009: Collection – Identifying unauthorized access and enumeration activities targeting sensitive data in S3 buckets.
  • TA0007: Defense Evasion – Observing attempts to disable security controls and modify security settings.

Indicator of Compromise :

  • [IP Address] Known malicious IP addresses (e.g., Tor exit nodes)
  • [API Call] High-risk API calls aligned with suspicious activities
  • [Operation] ListBuckets, GetObject, and DeleteObject S3 actions performed from suspicious IPs
  • [Event] Connection attempts from unauthorized geographic locations
  • [Action] Security control modifications targeting S3 bucket access

Full Story: https://blog.rapid7.com/2025/03/21/rapid7-mdr-supports-aws-guarddutys-new-attack-sequence-alerts/

Tags: PERSISTENCE, EXFILTRATION, MDR, COLLECTION, CLOUD, SOC, PRIVILEGE, DEFENSE EVASION