{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-cloudshell/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudShell"],"_cs_severities":["low"],"_cs_tags":["aws","cloudshell","execution","initial-access"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAWS CloudShell provides command-line access to AWS resources directly from the AWS Management Console. The \u003ccode\u003eCreateEnvironment\u003c/code\u003e API is called when a user launches CloudShell for the first time or accesses CloudShell in a new AWS region. An adversary with compromised console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This can occur even if MFA is enabled for the account if the adversary has already bypassed that control. Monitoring CloudShell environment creation helps detect unauthorized usage from compromised console sessions and is an indicator of potential malicious activity within the AWS environment. The rule focuses on detecting the initial creation of the CloudShell environment via the \u003ccode\u003eCreateEnvironment\u003c/code\u003e API call.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or a session hijack (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the AWS Management Console using the compromised account (TA0001).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the CloudShell service within the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eSince CloudShell hasn't been used before in the AWS region, the \u003ccode\u003eCreateEnvironment\u003c/code\u003e API is invoked (T1059.009).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CloudShell environment to execute commands and scripts to enumerate AWS resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI within CloudShell to create new IAM users or roles with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses CloudShell to deploy malicious code or modify existing cloud resources (e.g., S3 buckets, EC2 instances).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate data or establish persistence within the AWS environment using the resources accessed and modified via CloudShell (TA0002).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to AWS resources, data exfiltration, privilege escalation, and deployment of malicious code within the AWS environment. This can result in data breaches, service disruptions, and financial losses. While the severity is rated low, successful exploitation can lead to significant downstream impact. The impact is highly dependent on the permissions associated with the compromised account used to access CloudShell.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS CloudShell Environment Created\u003c/code\u003e to detect the initial creation of CloudShell environments in your AWS environment.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e to identify the IAM principal that created the CloudShell environment.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eCreateEnvironment\u003c/code\u003e events to identify unauthorized CloudShell usage.\u003c/li\u003e\n\u003cli\u003eConsider restricting CloudShell access via SCPs or IAM policies for sensitive accounts.\u003c/li\u003e\n\u003cli\u003eEnable MFA for all console logins to reduce the risk of session compromise as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate surrounding activity for any IAM operations after CloudShell was accessed, as outlined in the \u0026quot;Triage and analysis\u0026quot; section of the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-creation/","summary":"Detection of AWS CloudShell environment creation can indicate unauthorized command execution within AWS by an adversary leveraging a compromised console session to interact with AWS services.","title":"AWS CloudShell Environment Creation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudShell","AWS Management Console","AWS IAM"],"_cs_severities":["medium"],"_cs_tags":["cloudshell","aws","iam","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAWS CloudShell is a browser-based shell environment that allows command-line access to AWS resources directly from the AWS Management Console. While it offers convenience for administrators, it also presents a risk if an attacker gains access to a compromised console session. An attacker can leverage CloudShell to perform sensitive operations, such as creating IAM users, access keys, and roles, or attaching policies, without the need to install any tools or utilize programmatic credentials. This activity can be indicative of post-compromise credential harvesting or privilege escalation activity within the AWS environment. Defenders should monitor for unusual IAM activity originating from CloudShell sessions, particularly those involving the creation or modification of identities and permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS Management Console session, potentially through credential theft or session hijacking.\u003c/li\u003e\n\u003cli\u003eThe attacker launches AWS CloudShell from within the compromised console session. This provides a command-line interface to the AWS environment.\u003c/li\u003e\n\u003cli\u003eUsing the CloudShell environment, the attacker attempts to create a new IAM user with elevated privileges using the \u003ccode\u003eaws iam create-user\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker generates a new access key for the newly created IAM user or an existing compromised user with the \u003ccode\u003eaws iam create-access-key\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new IAM role with overly permissive policies attached using the \u003ccode\u003eaws iam create-role\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker attaches policies to existing IAM users or roles using the \u003ccode\u003eaws iam attach-user-policy\u003c/code\u003e or \u003ccode\u003eaws iam attach-role-policy\u003c/code\u003e commands to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created or modified IAM identities and access keys to persist in the AWS environment and perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe final objective is to maintain persistent access to the AWS environment, escalate privileges, and potentially exfiltrate sensitive data or cause disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive AWS resources, data exfiltration, and service disruption. Attackers may create persistent backdoors within the AWS environment through the creation of rogue IAM users or roles. The number of victims depends on the scope of the compromised AWS account. Industries that heavily rely on AWS infrastructure are particularly vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS IAM Operations via CloudShell\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious IAM activity originating from CloudShell sessions.\u003c/li\u003e\n\u003cli\u003eImplement session duration limits for AWS Management Console sessions to reduce the window of opportunity for console session abuse.\u003c/li\u003e\n\u003cli\u003eReview and restrict CloudShell access via SCPs or IAM policies for sensitive accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eConsoleLogin\u003c/code\u003e events followed by IAM actions from CloudShell as described in the rule's description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-cloudshell-iam/","summary":"Compromised AWS console sessions can lead to attackers performing sensitive IAM operations via CloudShell to establish persistence or escalate privileges.","title":"AWS IAM Operations via Compromised CloudShell","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-cloudshell-iam/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudShell"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","cloudshell"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell providing command-line access to AWS resources directly from the AWS Management Console. The \u003ccode\u003eCreateEnvironment\u003c/code\u003e API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may abuse CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This is especially useful if the attacker is already authenticated into the AWS Console. Monitoring environment creation helps detect unauthorized CloudShell usage stemming from compromised console sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises AWS console credentials through methods such as phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the CloudShell service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateEnvironment\u003c/code\u003e API is invoked as the attacker launches CloudShell for the first time in a region.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands within the CloudShell environment to enumerate AWS resources (e.g., using \u003ccode\u003eaws s3 ls\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses CloudShell to interact with other AWS services, potentially deploying malicious infrastructure or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence within the AWS environment through methods like creating new IAM users or roles with elevated permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via CloudShell can lead to unauthorized access to AWS resources, data exfiltration, and deployment of malicious infrastructure. While the source material does not specify a number of victims, the impact can range from minor data breaches to significant disruptions of AWS-hosted services, depending on the permissions of the compromised account and the attacker's objectives. Even with MFA enabled, sufficiently sophisticated attackers might bypass these protections.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS CloudShell Environment Created\u0026quot; to your SIEM using \u003ccode\u003eevent.dataset: \u0026quot;aws.cloudtrail\u0026quot; and event.provider: \u0026quot;cloudshell.amazonaws.com\u0026quot; and event.action: \u0026quot;CreateEnvironment\u0026quot;\u003c/code\u003e to detect initial environment creation.\u003c/li\u003e\n\u003cli\u003eCorrelate CloudShell creation events with preceding \u003ccode\u003eConsoleLogin\u003c/code\u003e events by reviewing \u003ccode\u003esource.ip\u003c/code\u003e and \u003ccode\u003euser_agent.original\u003c/code\u003e to investigate session origin and login context.\u003c/li\u003e\n\u003cli\u003eRestrict CloudShell access using Service Control Policies (SCPs) or IAM policies for accounts that do not require it, as mentioned in the overview, to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-env-created/","summary":"The creation of a new AWS CloudShell environment is detected, potentially indicating unauthorized access for command execution within AWS by adversaries without needing local CLI credentials.","title":"AWS CloudShell Environment Created","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-env-created/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS CloudShell","version":"https://jsonfeed.org/version/1.1"}