{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-machine-image/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon EC2","Amazon Machine Image"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","ec2","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs) using the \u003ccode\u003eDescribeImages\u003c/code\u003e API call. While querying for deprecated AMIs is not inherently malicious, it may indicate an adversary searching for outdated AMIs that may be vulnerable to exploitation. This behavior may stem from a misconfiguration or a legitimate use case, such as security assessments or legacy system maintenance. The rule focuses on identifying \u003ccode\u003eDescribeImages\u003c/code\u003e API calls with the \u003ccode\u003eincludeDeprecated\u003c/code\u003e parameter set to \u0026quot;true,\u0026quot; which signifies an explicit request for deprecated AMIs. This activity warrants investigation to determine the intent behind the query and assess potential security risks within the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker uses the AWS CLI or SDK to query for deprecated AMIs via the \u003ccode\u003eDescribeImages\u003c/code\u003e API call, setting the \u003ccode\u003eincludeDeprecated\u003c/code\u003e parameter to \u0026quot;true.\u0026quot;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker analyzes the results of the \u003ccode\u003eDescribeImages\u003c/code\u003e API call to identify deprecated AMIs that may be vulnerable to exploitation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Assessment:\u003c/strong\u003e The attacker researches the identified deprecated AMIs for known vulnerabilities and exploits.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Provisioning:\u003c/strong\u003e The attacker attempts to launch an EC2 instance using a deprecated AMI, potentially bypassing security controls due to the AMI's age.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e If the deprecated AMI contains vulnerable software, the attacker exploits it to gain elevated privileges or move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker uses the compromised EC2 instance to exfiltrate sensitive data or cause disruption to AWS services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging deprecated AMIs can lead to the compromise of EC2 instances, data breaches, and service disruptions. While this event by itself is low severity, it can act as a part of a larger attack and indicate the early stages of cloud reconnaissance. The impact of exploiting vulnerable AMIs includes data exfiltration, service downtime, and unauthorized access to other AWS resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS EC2 Deprecated AMI Discovery\u003c/code\u003e to your SIEM to detect queries for deprecated AMIs and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e) of the request to identify potentially suspicious origins as per the \u003ccode\u003eAWS EC2 Deprecated AMI Discovery\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions to prevent unauthorized access to deprecated AMIs as mentioned in the investigation steps.\u003c/li\u003e\n\u003cli\u003eEnable alerts for future queries involving deprecated AMIs or other unusual API activity within CloudTrail logs as mentioned in the remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-24T00:00:00Z","date_published":"2024-12-24T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-12-aws-deprecated-ami-discovery/","summary":"A user querying for deprecated Amazon Machine Images (AMIs) in AWS via the DescribeImages API call may indicate an adversary looking for outdated and potentially vulnerable AMIs for exploitation.","title":"AWS EC2 Deprecated AMI Discovery","url":"https://feed.craftedsignal.io/briefs/2024-12-aws-deprecated-ami-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Machine Image","version":"https://jsonfeed.org/version/1.1"}