Attack Hunting Using AWS VPC Flow Logs
🚀 Introduction
In the evolving world of cloud-native infrastructures, detecting threats quickly and accurately is non-negotiable. For security teams using AWS, the VPC Flow Logs provide a rich source of network telemetry that can be weaponized for real-time threat hunting—even without a SIEM.
In this post, I’ll walk you through 10 powerful one-liner commands (using classic Unix tools like awk, grep, sed, cut, etc.) to identify real-world attacks by parsing vpc.log files.
Attack Hunting Using AWS VPC Flow Logs is a proactive approach to uncover threats hidden in network-level cloud traffic. By analyzing patterns in source and destination IPs, ports, and protocols, security teams can detect stealthy behaviors like lateral movement and data exfiltration. These logs offer rich metadata that reveal attacker tactics often missed by signature-based tools. Common techniques like C2 beaconing, port scanning, and unauthorized access attempts become visible when flow data is properly correlated. Integrating these insights with threat intelligence enhances the ability to respond faster and more effectively. Attack Hunting Using AWS VPC Flow Logs empowers threat hunters to stay ahead of adversaries in cloud-native environments. It transforms raw traffic metadata into actionable detection logic and hunt hypotheses.
🛠️ Prerequisites
- Exported or downloaded vpc.log from AWS.
- Linux/macOS CLI or WSL (Windows Subsystem for Linux).
- Basic knowledge of networking and AWS infrastructure.
📊 Detection Matrix
Attacks Using Command-Line One-Liners
🔍 Enumerate repeated access to specific internal IP (Enumeration)
cat Traffic-* | awk ‘{print $4,$5}’ | sort | uniq -c | awk ‘$1 > 5’
🔍 Detect horizontal port scanning (many destination ports from one IP)
cat Traffic-* | awk ‘{print $4,$5, $7}’ | sort | uniq | awk ‘{print $1}’ | sort | uniq -c | awk ‘$1 > 10’ |sed ‘s/^ / Detect horizontal port scanning (many destination ports from one IP)) /’
🔍 Detect vertical scan (one target, many ports)
cat Traffic-* | awk ‘{print $4,$5,$7}’ | sort | uniq | awk ‘{print $1}’ | sort | uniq -c | awk ‘$1 > 10’ | sed ‘s/^/ Detect vertical scan (one target, many ports): /’
🔍 Detect consistent beaconing behavior (same dest IP over time)
cat Traffic-* | awk ‘{print $4,$5,$11}’ | sort | uniq | awk ‘{print $1,$2}’ | sort | uniq -c | awk ‘$1 > 50’ | sed ‘s/^/ Detect consistent beaconing behavior (same dest IP over time): /’
🔍 Find flows to external IPs on uncommon ports (data exfiltration)
cat Traffic-* | awk ‘$7 > 1024 && $5 !~ /^10.|^172.^192./’ | awk ‘{print $4,$5,$7}’ | sort | uniq | sed ‘s/^/ Find flows to external IPs on uncommon ports (data exfiltration): /’
🔍 Extract suspected DNS tunneling (high volume to port 53)
cat Traffic-* | awk ‘$7 == 53’ | awk ‘{print $4,$5}’ | sort | uniq -c | sort -nr | awk ‘$1 > 50’ | sed ‘s/^/ Extract suspected DNS tunneling (high volume to port 53): /’
🔍 Detect RDP tunneling activity (port 3389 with odd source IPs)
cat Traffic-* | awk ‘$7 == 3389 && $4 !~ /^10.|^172.^192./’ | sort | uniq | sed ‘s/^/Detect RDP tunneling activity (port 3389 with odd source IPs): /’
🔍 Detect DNS-over-HTTP behavior (port 80/443 with DNS IPs)
cat Traffic-* | grep -E ‘\s(80|443)\s’ | grep -i ‘dns’ | sed ‘s/^/Detect DNS-over-HTTP behavior (port 80\/443 with DNS indicators): /’
🔍 Identify rare source-destination pairs
cat Traffic-* | awk ‘{print $4″—>”$5}’ | sort | uniq -c | sort -n | head | sed ‘s/^/Identify rare source-destination pairs: /’
🔍 Find ICMP traffic which may be used in scanning
cat Traffic-* | awk ‘$8 == 1’ | awk ‘{print $4,$5}’ | sort | uniq | sed ‘s/^/ICMP traffic which may be used in scanning: /’
🔍 Database Port Abuse
grep -E “3306|5432” vpc.log | awk ‘{print $3,$5,$7}’ | sort | uniq -c | sed ‘s/^/DB Abuse: /
🔍 SSH Brute Force
grep “22” vpc.log | awk ‘{print $3,$4,$5,$7}’ | sort | uniq -c | sort -nr | sed ‘s/^/SSH Brute: /’
📚 Bonus: MITRE Mapping & Use Case Ideas
| Attack Type | MITRE Technique |
| Port Scan | T1046 (Network Service Scanning) |
| C2 Traffic | T1071 (Application Layer Protocol) |
| Data Exfil | T1041 (Exfiltration Over C2 Channel) |
| SSH Brute | T1110 (Brute Force) |
| DB Abuse | T1078 (Valid Accounts) |
💡 Bonus Ideas
- Convert output into CSVs and ingest into Grafana or Kibana.
- Run these commands hourly via a Lambda or cron job and notify via Slack/Teams.
- Map detection with MITRE ATT&CK for advanced visibility.
💬 Final Thoughts
You don’t need expensive tools to hunt like a pro. Sometimes, the right command and mindset are enough to uncover real attacks in raw data.
Start small. Build from here. And let your terminal do the talking.
📣 Conclusion
Using AWS VPC Flow Logs and a few lines of bash magic, you can uncover powerful security insights without expensive tools. These are just starting points—customize for your environment, and share the wisdom with your team.
#CloudSecurity #ThreatHunting #AWS #VPCFlowLogs #SOC #LinuxSecurity #CommandLineForensics #CloudSecurity #CyberDefense #portScan #Beaconing #dataexfiltration #Tunneling
