[New Rule] AWS EC2 AMI Shared with Another Account #3600

terrancedejesus · 2024-04-16T22:18:18Z

Issues

https://github.com/elastic/ia-trade-team/issues/358

Summary

Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
publicly available accidentally as well.

Unfortunately, we are not able to lookup the account shown in the request parameters for this which would indicate if it were external to the existing organization or not. This would be a follow-up investigation step into this alert or an exception the customer can add.

The request parameters are the focus on this as they are the only indication that a user is being given access to the AMI typically through the ARN ID specified.

Example Data

{
  "_index": ".ds-logs-aws.cloudtrail-default-2024.04.09-000001",
  "_id": "ccc8c263a0-000000000917",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "name": "ip-172-31-95-103",
      "id": "f14d530d-b7f2-4dbd-b122-28582c2a767c",
      "ephemeral_id": "69b4fa20-756a-4d41-8325-7613b13a01b2",
      "type": "filebeat",
      "version": "8.13.2"
    },
    "log": {
      "file": {
        "path": "https://asperitas-security-logs.s3.us-east-1.amazonaws.com/AWSLogs/891377031307/CloudTrail/us-east-1/2024/04/16/891377031307_CloudTrail_us-east-1_20240416T1920Z_nwRh1MskecELo4vz.json.gz"
      },
      "offset": 917
    },
    "elastic_agent": {
      "id": "f14d530d-b7f2-4dbd-b122-28582c2a767c",
      "version": "8.13.2",
      "snapshot": false
    },
    "source": {
      "geo": {
        "region_iso_code": "US-OH",
        "continent_name": "North America",
        "city_name": "Massillon",
        "country_iso_code": "US",
        "country_name": "United States",
        "region_name": "Ohio",
        "location": {
          "lon": x,
          "lat": x
        }
      },
      "as": {
        "number": 12097,
        "organization": {
          "name": "MASSCOM"
        }
      },
      "address": "x",
      "ip": "x"
    },
    "tags": [
      "preserve_original_event",
      "forwarded",
      "aws-cloudtrail"
    ],
    "cloud": {
      "region": "us-east-1",
      "account": {
        "id": "x"
      }
    },
    "input": {
      "type": "aws-s3"
    },
    "@timestamp": "2024-04-16T19:17:27.000Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "user": [
        "stratus"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "aws.cloudtrail"
    },
    "tls": {
      "cipher": "TLS_AES_128_GCM_SHA256",
      "client": {
        "server_name": "ec2.us-east-1.amazonaws.com"
      },
      "version": "1.3",
      "version_protocol": "tls"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-04-16T19:22:48Z",
      "original": x,
      "provider": "ec2.amazonaws.com",
      "created": "2024-04-16T19:22:38.046Z",
      "kind": "event",
      "action": "ModifyImageAttribute",
      "id": "5706b3f4-1194-4d42-9b9f-847a4b734a8c",
      "type": [
        "info"
      ],
      "dataset": "aws.cloudtrail",
      "outcome": "success"
    },
    "aws": {
      "s3": {
        "bucket": {
          "name": "asperitas-security-logs",
          "arn": "arn:aws:s3:::asperitas-security-logs"
        },
        "object": {
          "key": "AWSLogs/x/CloudTrail/us-east-1/2024/04/16/891377031307_CloudTrail_us-east-1_20240416T1920Z_nwRh1MskecELo4vz.json.gz"
        }
      },
      "cloudtrail": {
        "event_version": "1.09",
        "flattened": {
          "request_parameters": {
            "imageId": "ami-0a0a5ef40de9ea0da",
            "attributeType": "launchPermission",
            "launchPermission": {
              "add": {
                "items": [
                  {
                    "userId": "012345678901"
                  }
                ]
              }
            }
          },
          "response_elements": {
            "_return": true,
            "requestId": "f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0"
          }
        },
        "event_type": "AwsApiCall",
        "read_only": false,
        "user_identity": {
          "access_key_id": "AKIA47CRWDCFXZ3V7UXR",
          "type": "IAMUser",
          "arn": "arn:aws:iam::x:user/stratus"
        },
        "recipient_account_id": "x",
        "event_category": "Management",
        "request_parameters": "{imageId=ami-0a0a5ef40de9ea0da, attributeType=launchPermission, launchPermission={add={items=[{userId=012345678901}]}}}",
        "request_id": "f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0",
        "response_elements": "{_return=true, requestId=f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0}",
        "management_event": true
      }
    },
    "user": {
      "name": "stratus",
      "id": "AIDA47CRWDCFTQGUB5FBF"
    },
    "user_agent": {
      "original": "stratus-red-team_63b23d04-3760-4749-8bfe-52c29c2cbe86",
      "name": "Other",
      "device": {
        "name": "Other"
      }
    }
  },
  "fields": {
    "aws.cloudtrail.request_parameters.text": [
      "{imageId=ami-0a0a5ef40de9ea0da, attributeType=launchPermission, launchPermission={add={items=[{userId=012345678901}]}}}"
    ],
    "elastic_agent.version": [
      "8.13.2"
    ],
    "tls.version_protocol": [
      "tls"
    ],
    "user_agent.original.text": [
      "stratus-red-team_63b23d04-3760-4749-8bfe-52c29c2cbe86"
    ],
    "aws.cloudtrail.flattened.response_elements": [
      {
        "_return": true,
        "requestId": "f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0"
      }
    ],
    "aws.cloudtrail.response_elements": [
      "{_return=true, requestId=f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0}"
    ],
    "agent.name.text": [
      "ip-172-31-95-103"
    ],
    "source.geo.region_name": [
      "Ohio"
    ],
    "source.ip": [
      "x"
    ],
    "agent.name": [
      "ip-172-31-95-103"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "source.geo.region_iso_code": [
      "US-OH"
    ],
    "aws.cloudtrail.management_event": [
      "true"
    ],
    "event.kind": [
      "event"
    ],
    "aws.cloudtrail.user_identity.arn": [
      "arn:aws:iam::x:user/stratus"
    ],
    "event.outcome": [
      "success"
    ],
    "source.geo.city_name": [
      "Massillon"
    ],
    "tls.version": [
      "1.3"
    ],
    "user_agent.original": [
      "stratus-red-team_63b23d04-3760-4749-8bfe-52c29c2cbe86"
    ],
    "event.original": [x
    ],
    "cloud.region": [
      "us-east-1"
    ],
    "user.id": [
      "x"
    ],
    "input.type": [
      "aws-s3"
    ],
    "log.offset": [
      917
    ],
    "user_agent.name": [
      "Other"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "stratus"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "aws-cloudtrail"
    ],
    "event.provider": [
      "ec2.amazonaws.com"
    ],
    "agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-04-16T19:22:38.046Z"
    ],
    "aws.cloudtrail.event_version": [
      "1.09"
    ],
    "agent.version": [
      "8.13.2"
    ],
    "source.as.number": [
      12097
    ],
    "aws.cloudtrail.read_only": [
      false
    ],
    "aws.cloudtrail.event_category": [
      "Management"
    ],
    "aws.cloudtrail.user_identity.type": [
      "IAMUser"
    ],
    "aws.s3.bucket.arn": [
      "arn:aws:s3:::asperitas-security-logs"
    ],
    "aws.cloudtrail.recipient_account_id": [
      "x"
    ],
    "aws.cloudtrail.request_id": [
      "f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0"
    ],
    "tls.cipher": [
      "TLS_AES_128_GCM_SHA256"
    ],
    "user.name": [
      "stratus"
    ],
    "source.geo.location": [
      {
        "coordinates": [
          x,
          x
        ],
        "type": "Point"
      }
    ],
    "source.address": [
      "x"
    ],
    "aws.cloudtrail.flattened.request_parameters": [
      {
        "imageId": "ami-0a0a5ef40de9ea0da",
        "attributeType": "launchPermission",
        "launchPermission": {
          "add": {
            "items": [
              {
                "userId": "x"
              }
            ]
          }
        }
      }
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "aws"
    ],
    "source.geo.country_iso_code": [
      "US"
    ],
    "aws.cloudtrail.response_elements.text": [
      "{_return=true, requestId=f26746c5-dcc1-48b4-a96c-17c5dfd0e8d0}"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "aws.cloudtrail.event_type": [
      "AwsApiCall"
    ],
    "aws.s3.bucket.name": [
      "asperitas-security-logs"
    ],
    "source.as.organization.name.text": [
      "MASSCOM"
    ],
    "elastic_agent.id": [
      "f14d530d-b7f2-4dbd-b122-28582c2a767c"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "source.as.organization.name": [
      "MASSCOM"
    ],
    "source.geo.continent_name": [
      "North America"
    ],
    "tls.client.server_name": [
      "ec2.us-east-1.amazonaws.com"
    ],
    "event.action": [
      "ModifyImageAttribute"
    ],
    "event.ingested": [
      "2024-04-16T19:22:48.000Z"
    ],
    "@timestamp": [
      "2024-04-16T19:17:27.000Z"
    ],
    "cloud.account.id": [
      "x"
    ],
    "aws.cloudtrail.user_identity.access_key_id": [
      "x"
    ],
    "data_stream.dataset": [
      "aws.cloudtrail"
    ],
    "event.type": [
      "info"
    ],
    "log.file.path": [
      "https://asperitas-security-logs.s3.us-east-1.amazonaws.com/AWSLogs/891377031307/CloudTrail/us-east-1/2024/04/16/891377031307_CloudTrail_us-east-1_20240416T1920Z_nwRh1MskecELo4vz.json.gz"
    ],
    "agent.ephemeral_id": [
      "69b4fa20-756a-4d41-8325-7613b13a01b2"
    ],
    "aws.cloudtrail.request_parameters": [
      "{imageId=ami-0a0a5ef40de9ea0da, attributeType=launchPermission, launchPermission={add={items=[{userId=012345678901}]}}}"
    ],
    "event.id": [
      "5706b3f4-1194-4d42-9b9f-847a4b734a8c"
    ],
    "source.geo.country_name": [
      "United States"
    ],
    "user_agent.device.name": [
      "Other"
    ],
    "aws.s3.object.key": [
      "AWSLogs/x/CloudTrail/us-east-1/2024/04/16/891377031307_CloudTrail_us-east-1_20240416T1920Z_nwRh1MskecELo4vz.json.gz"
    ],
    "event.dataset": [
      "aws.cloudtrail"
    ],
    "user.name.text": [
      "stratus"
    ]
  }
}

…t.toml

rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

…te_account.toml Co-authored-by: Ruben Groenewoud <[email protected]>

…t.toml

* new rule 'AWS EC2 AMI Shared with Another Account' * linted; updated UUID * added investigation guide * updated description * fixed spelling errors * Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Co-authored-by: Ruben Groenewoud <[email protected]> * fixed spacing issue --------- Co-authored-by: Ruben Groenewoud <[email protected]> (cherry picked from commit d505b95)

new rule 'AWS EC2 AMI Shared with Another Account'

3f2770d

terrancedejesus added Integration: AWS AWS related rules Domain: Cloud Rule: New Proposal for new rule Area: RAD labels Apr 16, 2024

terrancedejesus self-assigned this Apr 16, 2024

terrancedejesus added 2 commits April 16, 2024 18:20

linted; updated UUID

1943ff4

added investigation guide

b310a73

terrancedejesus requested review from w0rk3r, DefSecSentinel, imays11, Samirbous and Aegrah May 6, 2024 14:05

Merge branch 'main' into new-rule-ec2-ami-shared-with-separate-accoun…

45a1fde

…t.toml

terrancedejesus marked this pull request as ready for review May 6, 2024 14:07

github-actions bot added the backport: auto label May 6, 2024

terrancedejesus and others added 3 commits May 6, 2024 07:11

updated description

c55ede8

fixed spelling errors

744ea40

Merge branch 'main' into new-rule-ec2-ami-shared-with-separate-accoun…

9d8ecb7

…t.toml

imays11 approved these changes May 10, 2024

View reviewed changes

Aegrah approved these changes May 13, 2024

View reviewed changes

rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Outdated Show resolved Hide resolved

terrancedejesus and others added 3 commits May 13, 2024 23:10

Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separa…

7fc115c

…te_account.toml Co-authored-by: Ruben Groenewoud <[email protected]>

fixed spacing issue

0ec3bf5

Merge branch 'main' into new-rule-ec2-ami-shared-with-separate-accoun…

e922028

…t.toml

terrancedejesus merged commit d505b95 into main May 14, 2024
14 checks passed

terrancedejesus deleted the new-rule-ec2-ami-shared-with-separate-account.toml branch May 14, 2024 05:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] AWS EC2 AMI Shared with Another Account #3600

[New Rule] AWS EC2 AMI Shared with Another Account #3600

terrancedejesus commented Apr 16, 2024 •

edited

Loading

[New Rule] AWS EC2 AMI Shared with Another Account #3600

[New Rule] AWS EC2 AMI Shared with Another Account #3600

Conversation

terrancedejesus commented Apr 16, 2024 • edited Loading

Issues

Summary

terrancedejesus commented Apr 16, 2024 •

edited

Loading