Full Report
FalconFriday — Detecting enumeration in AWS — 0xFF25 OrangeCon 25 EditionTL;DR: OrangeCon is over, but testing and learning never ends. To accompany our OrangeCon workshop “AWS enumeration for purple teams”, we will be sharing our thoughts on detecting the abuse of cloud-native services and release a nice new FalconFriday rule in our GitHub. This FalconFriday is closely connected with our earlier blog on dAWShund.AWS access management challengesWhen working with AWS, access management often boils down to properly configuring IAM policies. However, for threat actors these same policies provide an opportunity: by simulating them, they can explore the boundaries of their access and identify escalation paths. Cloud services were designed to help administrators and defenders to reduce the attack surface of their infrastructure, but unfortunately also provide convenient (and abusable) ways to perform reconnaissance.In this FalconFriday, we’ll dive into how AWS’ IAM Policy Simulator can be abused, what information can be harvested, how we can detect these activities, and how adversaries may further enrich their enumeration using AWS native tools like Credential Report and Access Analyzer.IAM Policy Simulator abuseThe IAM Policy Simulator was built to help administrators validate and troubleshoot IAM policies. Threat actors however can also leverage it to better understand their effective permissions in a compromised environment. This activity helps them enumerate which actions and resources they can access, building a roadmap for lateral movement or privilege escalation.Policy simulation can be performed in two ways:Via the IAM policy simulator (console)Web console of Policy SimulatorAccessible at https://policysim.aws.amazon.com/An attacker with leaked credentials can log in and manually test actions of specific policies against the target live environment.It’s slow and less scalable, but still effective for targeted exploration.2. Via the Policy Simulation APIsAWS provides two APIs to simulate permissions:SimulatePrincipalPolicySimulateCustomPolicyWith stolen access keys, attackers can programmatically query effective permissions.This is highly efficient, since automation can be used to map out permissions at scale.To demonstrate this in practice, we’ve created dAWShund — a framework designed to automate enumeration of IAM permissions using the Policy Simulator APIs and quickly map over-privileged accounts and potential attack paths.Detecting abuseThe use of the IAM Policy Simulator leaves behind some subtle but unique footprints in CloudTrail logs. Our detection is broken into 2 parts to detect both Web Console and API abuse.To avoid unnecessary pagination when fetching the principals and thier attached policies, the simulator calls ListUsers with a maxItems value of 50, and the rest of the List* operations with a limit of 1000. We use this pattern to differentiate simulator activity from standard console or SDK usage.That said, enumeration in AWS is notoriously difficult to detect. Blue teams typically rely on volumetric signals such as bursts of API calls, which stand out more clearly than single requests. Still, careful research into the unique footprints left by tools and frameworks can occasionally provide a glimpse into attacker behavior. These indicators, however, should be classified lower on the Pyramid of Pain since they are useful for context.The real power of enumeration lies in policy validation. With SimulatePrincipalPolicy and SimulateCustomPolicy, attackers don’t need to guess: they can query AWS directly whether a specific action is allowed under current policies. This drastically reduces noise and speeds up reconnaissance.From a defender’s perspective, this is valuable intelligence. These API calls are rarely used in day-to-day operations. When they appear in CloudTrail, they either indicate administrative troubleshooting or malicious attempt to simulate fetched policies, thus evaluating the effective permissions described on the Actions statement of the AWS Policy document. When correlated with other unusual automation patterns (e.g., dawshund-like bulk of requests), you can confidently flag suspicious behavior.A taste of our own medicine: enrichment of enumeration with AWS-native toolsOnce attackers have enumerated permissions, they can pivot to AWS-native tools designed for governance and attack surface reduction. These tools provide valuable insights to defenders — but unfortunately, also to adversaries. While it doesn’t justify standalone detection, it provides excellent context during threat hunting.Credential reportGenerates a report of all IAM users, their credentials, MFA status, and password age.Useful for administrators to assess hygiene — and for attackers to identify dormant accounts, missing MFA, or weak credential practices. An error will be triggered if there is no recent report to download, so it creates a good opportunity to catch careless attackers.Hunting query (KQL — CloudTrail logs):AWSCloudTrail| where EventName =~ "GetCredentialReport"| where ErrorCode =~ "CredentialReportNotPresentException"Access AnalyzerIdentifies resources shared with external principals (e.g., S3 buckets accessible to another account or public).Great for reducing attack surface by highlighting unintended exposures.For attackers, this is an intelligence goldmine: they can quickly map externally accessible resources.Hunting query (KQL — CloudTrail logs):AWSCloudTrail| where EventName in~ ("CreateAccessAnalyzer","ValidatePolicy","ListAnalyzers")| summarize count() by EventTime, UserIdentityArn, SourceIpAddressWrapping upEnumeration in AWS is about mapping the boundaries of access. Threat actors begin with listing principals, policies, and resources, then pivot into policy validation to uncover real opportunities. The IAM Policy Simulator — whether via console or API — provides a powerful way to achieve this, and tools like dAWShund make this process efficient and scalable.Detection hinges on recognizing subtle simulator footprints and the rare use of simulation APIs. While volumetrics remain the most reliable approach, researching tool-specific behaviors can occasionally reveal attacker presence, albeit at the lower levels of the Pyramid of Pain. We hope the publicly available detection content in this blog will further assist blue teams in their endeavors. Enrichment with Credential Reports and Access Analyzer further demonstrates how AWS-native tools, intended for security, can also be abused for reconnaissance. We strongly recommend to limit their usage to absolute operational needs and frequently clean up or archive the findings after auditing access.Want to have access to our repository with over 600 advanced detections? Please have a look at our commercial offering and reach out via [email protected] — Detecting enumeration in AWS — 0xFF25 OrangeCon 25 Edition was originally published in FalconForce on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Tool/Technique: dAWShund Framework / IAM Policy Simulation Abuse
## Overview
This covers the abuse of the AWS IAM Policy Simulator, primarily through its APIs, to conduct automated reconnaissance of effective permissions. The **dAWShund** framework is highlighted as a tool designed specifically to automate this process, allowing adversaries to efficiently map over-privileged accounts and potential lateral movement paths within an AWS environment. Secondary native AWS tools like Credential Report and Access Analyzer are also discussed as means to enrich this initial enumeration effort.
## Technical Details
- Type: Tool / Technique
- Platform: Amazon Web Services (AWS)
- Capabilities: Programmatic simulation of IAM policies to determine effective permissions; automation of large-scale permission mapping; gathering of credential status and resource exposure details via native AWS services.
- First Seen: Not explicitly dated, but associated with the FalconFriday OrangeCon 25 Edition workshop.
## MITRE ATT&CK Mapping
- TA0043 - Impact
- T1538 - Privilege Escalation (Implied by mapping escalation paths)
- TA0048 - Inhibit System Recovery (Not mapped, but reconnaissance often precedes destructive actions)
- TA0042 - Resource Development
- T1588.002 - Obtain Capabilities: Tools (Referencing dAWShund)
- TA0001 - Initial Access (Leveraging leaked access keys)
- TA0008 - Lateral Movement (Mapping paths)
- TA0007 - Discovery
- T1087.004 - Account Discovery: Cloud Accounts
- T1046 - Network Service Discovery (Implied by resource enumeration)
## Functionality
### Core Capabilities
* **Policy Simulation (API Abuse):** Utilizing the `SimulatePrincipalPolicy` and `SimulateCustomPolicy` APIs to directly query AWS for validated effective permissions without needing to guess or execute potentially noisy actions.
* **Automated Enumeration:** The **dAWShund** framework automates the use of Policy Simulation APIs to efficiently map out permissions at scale.
* **Reconnaissance Enrichment:** Leveraging native AWS services like **Credential Report** (to find weak credentials/MFA status) and **Access Analyzer** (to find publicly or externally exposed resources) to contextualize gathered permissions.
### Advanced Features
* **Scalable Permission Mapping:** Programmatic simulation via APIs replaces slow, manual checks via the Web Console.
* **Detection Evasion Footprints:** The simulator employs specific pagination limits (`ListUsers` maxItems=50; other `List*` operations limit=1000) which can be used as a subtle forensic signature to differentiate simulator activity from standard SDK usage.
## Indicators of Compromise
* File Hashes: N/A (Focus is on API/CloudTrail activity)
* File Names: N/A
* Registry Keys: N/A
* Network Indicators: N/A
* Behavioral Indicators:
* CloudTrail events showing `SimulatePrincipalPolicy` or `SimulateCustomPolicy` API calls (indicates rare, powerful reconnaissance).
* CloudTrail events showing specific pagination patterns in `List*` operations (e.g., `ListUsers` with `maxItems=50`).
* Bursts of API calls, especially when correlated with simulation events (suggesting use of automation like dAWShund).
* `GetCredentialReport` calls, especially when followed by an `CredentialReportNotPresentException` error (indicating an uncareful attempt to fetch the report).
* CloudTrail events for `CreateAccessAnalyzer`, `ValidatePolicy`, or `ListAnalyzers`.
## Associated Threat Actors
* The article discusses general threat actor methodologies for AWS enumeration and privilege discovery, but does not directly attribute the use of dAWShund or policy simulation to specific named threat groups.
## Detection Methods
* **Signature/Pattern Detection:** Detecting the unique parameter patterns used by the Policy Simulator in CloudTrail logs (e.g., max item limits on List operations).
* **Behavioral Detection:** Flagging the use of `SimulatePrincipalPolicy` and `SimulateCustomPolicy` APIs, as these are rarely used during normal day-to-day operations outside of administrative troubleshooting.
* **Volumetric Signals:** Monitoring for unusual bursts of API calls correlated with reconnaissance activity.
## Mitigation Strategies
* **Principle of Least Privilege:** Strict management of IAM policies to minimize privileges, reducing the usefulness of successful policy simulation.
* **Monitor API Usage:** Treat calls to Policy Simulation APIs (`SimulatePrincipalPolicy`, `SimulateCustomPolicy`) as high-fidelity indicators of potentially malicious reconnaissance if originating from unexpected principals.
* **Credential Hygiene:** Encourage/enforce MFA and timely credential rotation, as failed attempts to download a `CredentialReport` can indicate an attacker checking for poor hygiene.
* **Restrict Native Tool Usage:** Limit access to governance/security tools like Credential Report and Access Analyzer except for necessary operational needs, and frequently review/archive their findings.
## Related Tools/Techniques
* **dAWShund:** The framework specifically designed to automate the abuse of the Policy Simulation APIs.
* **AWS IAM Policy Simulator:** The native AWS feature being abused.
* **AWS Credential Report:** Native AWS tool abused for reconnaissance.
* **AWS Access Analyzer:** Native AWS tool abused for reconnaissance.