diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml new file mode 100644 index 00000000000..04631d87839 --- /dev/null +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -0,0 +1,102 @@ +[metadata] +creation_date = "2024/04/16" +integration = ["aws"] +maturity = "production" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/13" + +[rule] +author = ["Elastic"] +description = """ +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an +AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code +artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made +publicly available accidentally as well. +""" +false_positives = [ + """ + AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "EC2 AMI Shared with Another Account" +note = """ + +## Triage and Analysis + +### Investigating EC2 AMI Shared with Another Account + +This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. + +#### Possible Investigation Steps + +- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. +- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. +- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. + +### False Positive Analysis + +- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. +- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. + +### Response and Remediation + +- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. +- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. +- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. +- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. + +### Additional Information + +For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/). + +""" +references = [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", +] +risk_score = 47 +rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Threat Detection", + "Tactic: Exfiltration", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" + and event.action: ModifyImageAttribute and event.outcome: success + and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +