<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS CloudFormation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-cloudformation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 02 Nov 2024 14:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-cloudformation/feed.xml" rel="self" type="application/rss+xml"/><item><title>First Time AWS CloudFormation Stack Creation</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-cloudformation-stack-creation/</link><pubDate>Sat, 02 Nov 2024 14:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-cloudformation-stack-creation/</guid><description>This rule detects the first time a principal calls AWS CloudFormation CreateStack or CreateStackInstances API, potentially indicating malicious resource deployment by an attacker with elevated privileges.</description><content:encoded><![CDATA[<p>This detection identifies the initial use of AWS CloudFormation stack creation APIs within an AWS account. AWS CloudFormation allows users to define and provision infrastructure as code through template files. A compromised or malicious actor with sufficient permissions can leverage CloudFormation to deploy infrastructure resources, potentially for malicious purposes like establishing persistence, deploying crypto miners, or creating backdoors. This rule is designed to detect the first instance of CloudFormation stack creation by a specific user or role within an account, highlighting potentially anomalous behavior that warrants further investigation. This rule focuses on <code>CreateStack</code> and <code>CreateStackInstances</code> API calls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account through compromised credentials or by exploiting a misconfigured IAM role.</li>
<li>The attacker enumerates existing AWS resources and identifies potential targets for lateral movement or privilege escalation.</li>
<li>The attacker leverages the compromised credentials or IAM role to call the <code>CreateStack</code> or <code>CreateStackInstances</code> API.</li>
<li>The API call uses a CloudFormation template to define the resources to be created within the stack.</li>
<li>The CloudFormation service provisions the resources defined in the template. These resources may include EC2 instances, Lambda functions, IAM roles, or other AWS services.</li>
<li>The attacker uses the deployed resources to establish persistence within the AWS environment.</li>
<li>The attacker performs reconnaissance and identifies sensitive data stored within the environment.</li>
<li>The attacker exfiltrates the sensitive data from the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized deployment of resources, privilege escalation, persistence within the AWS environment, and potential data exfiltration. This can result in financial loss, reputational damage, and legal ramifications. The number of victims depends on the scope of the compromised account and the resources deployed by the attacker. Targeted sectors could include any organization utilizing AWS CloudFormation for infrastructure management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS CloudFormation Stack Creation by New Principal&quot; to your SIEM and tune for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the identity (<code>aws.cloudtrail.user_identity.arn</code>) and the CloudFormation template used (<code>aws.cloudtrail.request_parameters</code>).</li>
<li>Review and tighten IAM policies and permissions to adhere to the principle of least privilege, reducing the risk of exploitation.</li>
<li>Implement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise.</li>
<li>Monitor CloudTrail logs (<code>logs-aws.cloudtrail-*</code>) for unusual API calls and resource creation events.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloudformation</category><category>aws</category><category>execution</category></item></channel></rss>