<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon Machine Image - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-machine-image/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 24 Dec 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-machine-image/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 Deprecated AMI Discovery</title><link>https://feed.craftedsignal.io/briefs/2024-12-aws-deprecated-ami-discovery/</link><pubDate>Tue, 24 Dec 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-12-aws-deprecated-ami-discovery/</guid><description>A user querying for deprecated Amazon Machine Images (AMIs) in AWS via the DescribeImages API call may indicate an adversary looking for outdated and potentially vulnerable AMIs for exploitation.</description><content:encoded><![CDATA[<p>This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs) using the <code>DescribeImages</code> API call. While querying for deprecated AMIs is not inherently malicious, it may indicate an adversary searching for outdated AMIs that may be vulnerable to exploitation. This behavior may stem from a misconfiguration or a legitimate use case, such as security assessments or legacy system maintenance. The rule focuses on identifying <code>DescribeImages</code> API calls with the <code>includeDeprecated</code> parameter set to &quot;true,&quot; which signifies an explicit request for deprecated AMIs. This activity warrants investigation to determine the intent behind the query and assess potential security risks within the AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.</li>
<li><strong>Reconnaissance:</strong> The attacker uses the AWS CLI or SDK to query for deprecated AMIs via the <code>DescribeImages</code> API call, setting the <code>includeDeprecated</code> parameter to &quot;true.&quot;</li>
<li><strong>Discovery:</strong> The attacker analyzes the results of the <code>DescribeImages</code> API call to identify deprecated AMIs that may be vulnerable to exploitation.</li>
<li><strong>Vulnerability Assessment:</strong> The attacker researches the identified deprecated AMIs for known vulnerabilities and exploits.</li>
<li><strong>Resource Provisioning:</strong> The attacker attempts to launch an EC2 instance using a deprecated AMI, potentially bypassing security controls due to the AMI's age.</li>
<li><strong>Privilege Escalation/Lateral Movement:</strong> If the deprecated AMI contains vulnerable software, the attacker exploits it to gain elevated privileges or move laterally within the AWS environment.</li>
<li><strong>Data Exfiltration/Impact:</strong> The attacker uses the compromised EC2 instance to exfiltrate sensitive data or cause disruption to AWS services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging deprecated AMIs can lead to the compromise of EC2 instances, data breaches, and service disruptions. While this event by itself is low severity, it can act as a part of a larger attack and indicate the early stages of cloud reconnaissance. The impact of exploiting vulnerable AMIs includes data exfiltration, service downtime, and unauthorized access to other AWS resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS EC2 Deprecated AMI Discovery</code> to your SIEM to detect queries for deprecated AMIs and tune for your environment.</li>
<li>Review the source IP address (<code>source.ip</code>) of the request to identify potentially suspicious origins as per the <code>AWS EC2 Deprecated AMI Discovery</code> rule.</li>
<li>Restrict IAM permissions to prevent unauthorized access to deprecated AMIs as mentioned in the investigation steps.</li>
<li>Enable alerts for future queries involving deprecated AMIs or other unusual API activity within CloudTrail logs as mentioned in the remediation steps.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ec2</category><category>discovery</category></item></channel></rss>