<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS CloudShell - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-cloudshell/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-cloudshell/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS CloudShell Environment Creation Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-creation/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-creation/</guid><description>Detection of AWS CloudShell environment creation can indicate unauthorized command execution within AWS by an adversary leveraging a compromised console session to interact with AWS services.</description><content:encoded><![CDATA[<p>AWS CloudShell provides command-line access to AWS resources directly from the AWS Management Console. The <code>CreateEnvironment</code> API is called when a user launches CloudShell for the first time or accesses CloudShell in a new AWS region. An adversary with compromised console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This can occur even if MFA is enabled for the account if the adversary has already bypassed that control. Monitoring CloudShell environment creation helps detect unauthorized usage from compromised console sessions and is an indicator of potential malicious activity within the AWS environment. The rule focuses on detecting the initial creation of the CloudShell environment via the <code>CreateEnvironment</code> API call.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account through compromised credentials or a session hijack (T1078.004).</li>
<li>The attacker logs into the AWS Management Console using the compromised account (TA0001).</li>
<li>The attacker navigates to the CloudShell service within the AWS Management Console.</li>
<li>Since CloudShell hasn't been used before in the AWS region, the <code>CreateEnvironment</code> API is invoked (T1059.009).</li>
<li>The attacker uses the CloudShell environment to execute commands and scripts to enumerate AWS resources.</li>
<li>The attacker leverages the AWS CLI within CloudShell to create new IAM users or roles with elevated privileges.</li>
<li>The attacker uses CloudShell to deploy malicious code or modify existing cloud resources (e.g., S3 buckets, EC2 instances).</li>
<li>The attacker attempts to exfiltrate data or establish persistence within the AWS environment using the resources accessed and modified via CloudShell (TA0002).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to AWS resources, data exfiltration, privilege escalation, and deployment of malicious code within the AWS environment. This can result in data breaches, service disruptions, and financial losses. While the severity is rated low, successful exploitation can lead to significant downstream impact. The impact is highly dependent on the permissions associated with the compromised account used to access CloudShell.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS CloudShell Environment Created</code> to detect the initial creation of CloudShell environments in your AWS environment.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> to identify the IAM principal that created the CloudShell environment.</li>
<li>Monitor CloudTrail logs for <code>CreateEnvironment</code> events to identify unauthorized CloudShell usage.</li>
<li>Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts.</li>
<li>Enable MFA for all console logins to reduce the risk of session compromise as mentioned in the overview.</li>
<li>Investigate surrounding activity for any IAM operations after CloudShell was accessed, as outlined in the &quot;Triage and analysis&quot; section of the rule description.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>cloudshell</category><category>execution</category><category>initial-access</category></item><item><title>AWS IAM Operations via Compromised CloudShell</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-cloudshell-iam/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-cloudshell-iam/</guid><description>Compromised AWS console sessions can lead to attackers performing sensitive IAM operations via CloudShell to establish persistence or escalate privileges.</description><content:encoded><![CDATA[<p>AWS CloudShell is a browser-based shell environment that allows command-line access to AWS resources directly from the AWS Management Console. While it offers convenience for administrators, it also presents a risk if an attacker gains access to a compromised console session. An attacker can leverage CloudShell to perform sensitive operations, such as creating IAM users, access keys, and roles, or attaching policies, without the need to install any tools or utilize programmatic credentials. This activity can be indicative of post-compromise credential harvesting or privilege escalation activity within the AWS environment. Defenders should monitor for unusual IAM activity originating from CloudShell sessions, particularly those involving the creation or modification of identities and permissions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS Management Console session, potentially through credential theft or session hijacking.</li>
<li>The attacker launches AWS CloudShell from within the compromised console session. This provides a command-line interface to the AWS environment.</li>
<li>Using the CloudShell environment, the attacker attempts to create a new IAM user with elevated privileges using the <code>aws iam create-user</code> command.</li>
<li>The attacker generates a new access key for the newly created IAM user or an existing compromised user with the <code>aws iam create-access-key</code> command.</li>
<li>The attacker creates a new IAM role with overly permissive policies attached using the <code>aws iam create-role</code> command.</li>
<li>The attacker attaches policies to existing IAM users or roles using the <code>aws iam attach-user-policy</code> or <code>aws iam attach-role-policy</code> commands to escalate privileges.</li>
<li>The attacker leverages the newly created or modified IAM identities and access keys to persist in the AWS environment and perform lateral movement.</li>
<li>The final objective is to maintain persistent access to the AWS environment, escalate privileges, and potentially exfiltrate sensitive data or cause disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive AWS resources, data exfiltration, and service disruption. Attackers may create persistent backdoors within the AWS environment through the creation of rogue IAM users or roles. The number of victims depends on the scope of the compromised AWS account. Industries that heavily rely on AWS infrastructure are particularly vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS IAM Operations via CloudShell</code> to your SIEM and tune for your environment to detect suspicious IAM activity originating from CloudShell sessions.</li>
<li>Implement session duration limits for AWS Management Console sessions to reduce the window of opportunity for console session abuse.</li>
<li>Review and restrict CloudShell access via SCPs or IAM policies for sensitive accounts.</li>
<li>Investigate any <code>ConsoleLogin</code> events followed by IAM actions from CloudShell as described in the rule's description.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloudshell</category><category>aws</category><category>iam</category><category>persistence</category><category>privilege-escalation</category></item><item><title>AWS CloudShell Environment Created</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-env-created/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-cloudshell-env-created/</guid><description>The creation of a new AWS CloudShell environment is detected, potentially indicating unauthorized access for command execution within AWS by adversaries without needing local CLI credentials.</description><content:encoded><![CDATA[<p>This detection identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell providing command-line access to AWS resources directly from the AWS Management Console. The <code>CreateEnvironment</code> API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may abuse CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. This is especially useful if the attacker is already authenticated into the AWS Console. Monitoring environment creation helps detect unauthorized CloudShell usage stemming from compromised console sessions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises AWS console credentials through methods such as phishing or credential stuffing.</li>
<li>The attacker logs into the AWS Management Console.</li>
<li>The attacker navigates to the CloudShell service.</li>
<li>The <code>CreateEnvironment</code> API is invoked as the attacker launches CloudShell for the first time in a region.</li>
<li>The attacker executes commands within the CloudShell environment to enumerate AWS resources (e.g., using <code>aws s3 ls</code>).</li>
<li>The attacker attempts to escalate privileges by exploiting misconfigurations or vulnerabilities.</li>
<li>The attacker uses CloudShell to interact with other AWS services, potentially deploying malicious infrastructure or exfiltrating data.</li>
<li>The attacker establishes persistence within the AWS environment through methods like creating new IAM users or roles with elevated permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via CloudShell can lead to unauthorized access to AWS resources, data exfiltration, and deployment of malicious infrastructure. While the source material does not specify a number of victims, the impact can range from minor data breaches to significant disruptions of AWS-hosted services, depending on the permissions of the compromised account and the attacker's objectives. Even with MFA enabled, sufficiently sophisticated attackers might bypass these protections.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS CloudShell Environment Created&quot; to your SIEM using <code>event.dataset: &quot;aws.cloudtrail&quot; and event.provider: &quot;cloudshell.amazonaws.com&quot; and event.action: &quot;CreateEnvironment&quot;</code> to detect initial environment creation.</li>
<li>Correlate CloudShell creation events with preceding <code>ConsoleLogin</code> events by reviewing <code>source.ip</code> and <code>user_agent.original</code> to investigate session origin and login context.</li>
<li>Restrict CloudShell access using Service Control Policies (SCPs) or IAM policies for accounts that do not require it, as mentioned in the overview, to limit the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>cloudshell</category></item></channel></rss>