-
Notifications
You must be signed in to change notification settings - Fork 512
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] AWS EC2 AMI Shared with Another Account (#3600)
* new rule 'AWS EC2 AMI Shared with Another Account' * linted; updated UUID * added investigation guide * updated description * fixed spelling errors * Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Co-authored-by: Ruben Groenewoud <[email protected]> * fixed spacing issue --------- Co-authored-by: Ruben Groenewoud <[email protected]> (cherry picked from commit d505b95)
- Loading branch information
1 parent
727e7ad
commit f918f09
Showing
1 changed file
with
102 additions
and
0 deletions.
There are no files selected for viewing
102 changes: 102 additions & 0 deletions
102
rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| [metadata] | ||
| creation_date = "2024/04/16" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" | ||
| min_stack_version = "8.9.0" | ||
| updated_date = "2024/05/13" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an | ||
| AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code | ||
| artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made | ||
| publicly available accidentally as well. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action. | ||
| """, | ||
| ] | ||
| from = "now-60m" | ||
| index = ["filebeat-*", "logs-aws.cloudtrail-*"] | ||
| interval = "10m" | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "EC2 AMI Shared with Another Account" | ||
| note = """ | ||
| ## Triage and Analysis | ||
| ### Investigating EC2 AMI Shared with Another Account | ||
| This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. | ||
| #### Possible Investigation Steps | ||
| - **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. | ||
| - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. | ||
| - **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. | ||
| - **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. | ||
| - **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. | ||
| - **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. | ||
| - **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. | ||
| ### False Positive Analysis | ||
| - **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. | ||
| - **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. | ||
| ### Response and Remediation | ||
| - **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. | ||
| - **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. | ||
| - **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. | ||
| - **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. | ||
| - **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. | ||
| ### Additional Information | ||
| For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/). | ||
| """ | ||
| references = [ | ||
| "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", | ||
| "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", | ||
| "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS EC2", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Exfiltration", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" | ||
| and event.action: ModifyImageAttribute and event.outcome: success | ||
| and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1537" | ||
| name = "Transfer Data to Cloud Account" | ||
| reference = "https://attack.mitre.org/techniques/T1537/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0010" | ||
| name = "Exfiltration" | ||
| reference = "https://attack.mitre.org/tactics/TA0010/" | ||
|
|