From d505b95f3cce75dcb556dfb128364cbffd186423 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Tue, 14 May 2024 00:56:26 -0500
Subject: [PATCH] [New Rule] AWS EC2 AMI Shared with Another Account (#3600)

* new rule 'AWS EC2 AMI Shared with Another Account'

* linted; updated UUID

* added investigation guide

* updated description

* fixed spelling errors

* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* fixed spacing issue

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 ..._ec2_ami_shared_with_separate_account.toml | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
new file mode 100644
index 00000000000..04631d87839
--- /dev/null
+++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2024/04/16"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
+min_stack_version = "8.9.0"
+updated_date = "2024/05/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
+AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
+artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
+publicly available accidentally as well.
+"""
+false_positives = [
+    """
+    AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "EC2 AMI Shared with Another Account"
+note = """
+
+## Triage and Analysis
+
+### Investigating EC2 AMI Shared with Another Account
+
+This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
+
+#### Possible Investigation Steps
+
+- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.
+    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.
+- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.
+- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
+- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.
+- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.
+- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.
+
+### False Positive Analysis
+
+- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
+- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
+
+### Response and Remediation
+
+- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.
+- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.
+- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
+- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access.
+- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.
+
+### Additional Information
+
+For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).
+
+"""
+references = [
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html",
+    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/",
+]
+risk_score = 47
+rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS EC2",
+    "Use Case: Threat Detection",
+    "Tactic: Exfiltration",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
+    and event.action: ModifyImageAttribute and event.outcome: success
+    and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1537"
+name = "Transfer Data to Cloud Account"
+reference = "https://attack.mitre.org/techniques/T1537/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+