From 3f2770dab7d56665536c276def2bac15b16b6c0a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 16 Apr 2024 18:15:44 -0400 Subject: [PATCH 1/7] new rule 'AWS EC2 AMI Shared with Another Account' --- ..._ec2_ami_shared_with_separate_account.toml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml new file mode 100644 index 00000000000..6e47264cdef --- /dev/null +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2024/04/16" +integration = ["aws"] +maturity = "production" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. +""" +false_positives = [ + """ + AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS EC2 AMI Shared with Another Account" +references = [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/" +] +risk_score = 47 +rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" +severity = "medium" +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Threat Detection", "Tactic: Exfiltration"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" + and event.action: ModifyImageAttribute event.outcome: success + and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + + + From 1943ff4e8c59562ddd062a726df80fbbdbb9949a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 16 Apr 2024 18:20:03 -0400 Subject: [PATCH 2/7] linted; updated UUID --- ..._ec2_ami_shared_with_separate_account.toml | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 6e47264cdef..3777c574dc4 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -9,7 +9,8 @@ updated_date = "2024/04/16" [rule] author = ["Elastic"] description = """ -Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an +AMI with an external AWS account as a means of data exfiltration. """ false_positives = [ """ @@ -25,18 +26,25 @@ name = "AWS EC2 AMI Shared with Another Account" references = [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", - "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/" + "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", ] risk_score = 47 -rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" +rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Threat Detection", "Tactic: Exfiltration"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS EC2", + "Use Case: Threat Detection", + "Tactic: Exfiltration", +] timestamp_override = "event.ingested" type = "query" query = ''' event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" - and event.action: ModifyImageAttribute event.outcome: success + and event.action: ModifyImageAttribute and event.outcome: success and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) ''' @@ -54,5 +62,3 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - - From b310a73d7358d461a4621cbd52349e811f552b89 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 6 May 2024 06:51:12 -0700 Subject: [PATCH 3/7] added investigation guide --- ..._ec2_ami_shared_with_separate_account.toml | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 3777c574dc4..7bcb097cabe 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2024/04/16" +updated_date = "2024/05/06" [rule] author = ["Elastic"] @@ -23,6 +23,42 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 AMI Shared with Another Account" +note = """ + +## Triage and Analysis + +### Investigating AWS EC2 AMI Shared with Another Account + +This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. + +#### Possible Investigation Steps + +- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. +- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. +- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. + +### False Positive Analysis + +- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. +- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. + +### Response and Remediation + +- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. +- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. +- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. +- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. + +### Additional Information + +For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/). + +""" references = [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", From c55ede8ccbfcf26c59d0f7a0dbf9224a07495c39 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 6 May 2024 07:11:53 -0700 Subject: [PATCH 4/7] updated description --- .../exfiltration_ec2_ami_shared_with_separate_account.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 7bcb097cabe..ebbfa6b88ce 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -10,7 +10,9 @@ updated_date = "2024/05/06" author = ["Elastic"] description = """ Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an -AMI with an external AWS account as a means of data exfiltration. +AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code +artifacts, and other sensitive data that advesaries may abuse if shared with unauthorized accounts. AMIs can be made +publically available accidentally as well. """ false_positives = [ """ @@ -24,7 +26,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS EC2 AMI Shared with Another Account" note = """ - ## Triage and Analysis ### Investigating AWS EC2 AMI Shared with Another Account From 744ea40b97e3a42ba6f2a4e10c40623ca1f79e82 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 6 May 2024 07:12:56 -0700 Subject: [PATCH 5/7] fixed spelling errors --- .../exfiltration_ec2_ami_shared_with_separate_account.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index ebbfa6b88ce..7db7802faa8 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -11,8 +11,8 @@ author = ["Elastic"] description = """ Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code -artifacts, and other sensitive data that advesaries may abuse if shared with unauthorized accounts. AMIs can be made -publically available accidentally as well. +artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made +publicly available accidentally as well. """ false_positives = [ """ From 7fc115cac74277f263c8e98a31445756c768ad6d Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 13 May 2024 23:10:43 -0400 Subject: [PATCH 6/7] Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../aws/exfiltration_ec2_ami_shared_with_separate_account.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index 7db7802faa8..bd96be3b33c 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS EC2 AMI Shared with Another Account" +name = "EC2 AMI Shared with Another Account" note = """ ## Triage and Analysis From 0ec3bf5b5434cef1f171057d102ca4414e67b333 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 13 May 2024 23:13:45 -0400 Subject: [PATCH 7/7] fixed spacing issue --- .../exfiltration_ec2_ami_shared_with_separate_account.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml index bd96be3b33c..04631d87839 100644 --- a/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2024/05/06" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -26,9 +26,10 @@ language = "kuery" license = "Elastic License v2" name = "EC2 AMI Shared with Another Account" note = """ + ## Triage and Analysis -### Investigating AWS EC2 AMI Shared with Another Account +### Investigating EC2 AMI Shared with Another Account This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.