<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Scattered Spider (LUCR-3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/scattered-spider-lucr-3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/scattered-spider-lucr-3/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS SSM Inventory Reconnaissance by Rare User</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-ssm-inventory-recon/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-ssm-inventory-recon/</guid><description>Detection of a rare user or role accessing AWS Systems Manager (SSM) inventory APIs or running the AWS-GatherSoftwareInventory job, potentially indicating reconnaissance activity by threat actors seeking information about managed EC2 instances.</description><content:encoded><![CDATA[<p>This detection identifies the initial use of AWS Systems Manager (SSM) inventory APIs by a specific user or role, which is uncommon behavior and may indicate reconnaissance. The AWS SSM Inventory service provides detailed information about managed EC2 instances, including installed software, patch compliance status, and command execution history. Threat actors, such as Scattered Spider (LUCR-3), may abuse these APIs to gather information about target systems within an AWS environment for lateral movement or other malicious purposes. The rule focuses on detecting the first-time use of specific SSM inventory APIs (GetInventory, GetInventorySchema, ListInventoryEntries, DescribeInstancePatches, ListCommands) or the execution of the AWS-GatherSoftwareInventory job by a user, as such actions are more typical of automation systems rather than interactive human users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains access to an AWS account through compromised credentials or an exposed IAM role.</li>
<li>Credential Harvesting: The attacker enumerates existing IAM roles and policies to identify those with permissions to interact with SSM.</li>
<li>SSM Enumeration: The attacker uses the <code>sts:GetCallerIdentity</code> API call to validate permissions and identify the current AWS account.</li>
<li>Inventory Discovery: The attacker leverages SSM inventory APIs, such as <code>ssm:GetInventory</code>, <code>ssm:GetInventorySchema</code>, and <code>ssm:ListInventoryEntries</code>, to gather information about EC2 instances, including installed software and patch levels.</li>
<li>Patch Status Check: The attacker uses <code>ssm:DescribeInstancePatches</code> to identify vulnerable or unpatched systems.</li>
<li>Command History Check: The attacker uses <code>ssm:ListCommands</code> to gather information about past commands executed on the instances.</li>
<li>Software Inventory Job Execution: Alternatively, the attacker triggers the <code>AWS-GatherSoftwareInventory</code> job using <code>ssm:CreateAssociation</code> to collect a comprehensive software inventory.</li>
<li>Lateral Movement: Based on the gathered inventory, the attacker identifies vulnerable systems or misconfigurations and attempts lateral movement within the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful reconnaissance using AWS SSM Inventory APIs allows attackers to map out the target environment, identify vulnerable systems, and plan further attacks, such as lateral movement or data exfiltration. This reconnaissance can lead to full compromise of EC2 instances and sensitive data within the AWS environment. Scattered Spider and similar groups often use this information to identify high-value targets and vulnerabilities for exploitation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS SSM Inventory Reconnaissance by Rare User&quot; to your SIEM to detect anomalous SSM inventory API usage (rule).</li>
<li>Investigate any alerts triggered by the Sigma rule, focusing on the source IP address, user agent, and the specific API calls made (rule).</li>
<li>Review IAM permissions to ensure that users and roles only have the necessary permissions to access SSM inventory data (IAM).</li>
<li>Implement enhanced monitoring for users or roles identified as performing suspicious SSM activity (monitoring).</li>
<li>Correlate SSM API activity with other AWS CloudTrail events, such as <code>StartSession</code> or <code>SendCommand</code>, to identify broader attack patterns (CloudTrail).</li>
<li>Use the provided references to understand Scattered Spider's TTPs and AWS security best practices (references).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>aws</category><category>ssm</category><category>inventory</category><category>reconnaissance</category><category>cloudtrail</category></item></channel></rss>