<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Identity and Access Management - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-identity-and-access-management/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 26 Oct 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-identity-and-access-management/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS STS AssumeRole with New MFA Device</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</link><pubDate>Sat, 26 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</guid><description>This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.</description><content:encoded><![CDATA[<p>This detection rule identifies instances of AWS Security Token Service (STS) <code>AssumeRole</code> calls where a new Multi-Factor Authentication (MFA) device is used. While legitimate administrative tasks may involve assuming roles with new MFA devices, adversaries can leverage this technique to establish persistence, escalate privileges, or move laterally within an AWS environment. The rule focuses on successful <code>AssumeRole</code>, <code>AssumeRoleWithSAML</code>, and <code>AssumeRoleWithWebIdentity</code> events, specifically looking for the presence of a serial number associated with the MFA device in the request parameters, indicating a new MFA device was used. This activity warrants investigation to determine if it is authorized or indicative of malicious behavior. The rule uses a 10-day history window to define &quot;new&quot; MFA devices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials (T1078.004).</li>
<li>The attacker registers a new MFA device within the compromised AWS account (T1556.006).</li>
<li>The attacker uses the AWS STS <code>AssumeRole</code> API to request temporary credentials for a different IAM role (T1550).</li>
<li>The request includes the serial number of the newly registered MFA device in the <code>request_parameters</code> (part of the AssumeRole call).</li>
<li>AWS STS validates the MFA and, if successful, issues temporary credentials associated with the assumed role (T1550.001).</li>
<li>The attacker uses these temporary credentials to access resources and perform actions authorized by the assumed role (T1078).</li>
<li>This may involve escalating privileges, accessing sensitive data, or moving laterally to other AWS resources (TA0004, TA0008).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using a new MFA device to assume a role can lead to unauthorized access to sensitive AWS resources. The attacker can escalate privileges, move laterally to other resources, or establish persistent access within the environment. This can result in data breaches, service disruption, or other malicious activities, impacting the confidentiality, integrity, and availability of the organization's cloud infrastructure. The risk score is 21, indicating a potential but not immediately critical threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rules to your SIEM to detect the use of new MFA devices in <code>AssumeRole</code> calls and tune for your environment.</li>
<li>Enable AWS CloudTrail logging and ensure proper configuration of the AWS Fleet integration or Filebeat module to capture relevant STS events.</li>
<li>Review AWS CloudTrail logs for unusual patterns of MFA device registrations and role assumptions, focusing on privilege escalation or lateral movement attempts.</li>
<li>Implement additional monitoring and alerting for unusual MFA device registrations and role assumptions to enhance detection of similar threats in the future.</li>
<li>Create exceptions for known onboarding activities or routine device replacements by correlating with HR records or IT support tickets as described in the rule's false positives section.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">threat</category><category>aws</category><category>cloudtrail</category><category>sts</category><category>assume_role</category><category>mfa</category><category>persistence</category><category>privilege_escalation</category><category>lateral_movement</category></item><item><title>AWS STS Role Chaining for Privilege Escalation and Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/</link><pubDate>Fri, 25 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/</guid><description>AWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential abuse of AWS STS role chaining. Role chaining is a legitimate AWS feature where an assumed role is used to assume another role through the AWS CLI or API. However, malicious actors can exploit this functionality to escalate privileges if the second assumed role has broader permissions than the initial role. The chaining can also be used as a persistence mechanism since each <code>AssumeRole</code> action results in a refreshed session token with a maximum duration of one hour. This activity is detected by monitoring CloudTrail logs for the first occurrence of a role (identified by <code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code>) assuming another role (<code>aws.cloudtrail.resources.arn</code>). Detection focuses on identifying novel role-chaining relationships to highlight potentially unauthorized activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed access key.</li>
<li>The attacker uses the compromised credentials to assume an initial IAM role using <code>sts:AssumeRole</code>. This action is logged in CloudTrail with the <code>AssumeRole</code> event.</li>
<li>The attacker then uses the temporary credentials obtained from the first role to assume a second IAM role, again using <code>sts:AssumeRole</code>. The <code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code> field identifies the first role, and the <code>aws.cloudtrail.resources.arn</code> field identifies the second role.</li>
<li>If the second role has more permissions than the first, the attacker can use the second role's credentials to perform actions they couldn't do before (privilege escalation). This could involve actions related to IAM, EC2, S3 or other AWS services.</li>
<li>The attacker leverages the increased permissions to access sensitive data stored in S3 buckets, modify IAM policies to grant themselves further access, or launch EC2 instances for malicious purposes.</li>
<li>Each AssumeRole action generates new temporary credentials, effectively refreshing the attacker's session.</li>
<li>The attacker maintains persistence within the AWS environment by repeatedly chaining roles to refresh temporary credentials.</li>
<li>The attacker achieves their objective, such as exfiltrating sensitive data, deploying malware, or disrupting services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via role chaining can lead to significant privilege escalation within an AWS environment. This can enable attackers to gain unauthorized access to sensitive data, modify critical infrastructure configurations, and potentially disrupt business operations. The persistence aspect of role chaining can allow attackers to maintain a foothold in the environment for extended periods, making detection and remediation more challenging. The blast radius can extend across multiple AWS accounts if cross-account role chaining is involved.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS STS Role Chaining</code> to identify instances of role chaining in AWS CloudTrail logs. Tune the rule to exclude expected role-chaining patterns based on your environment (<code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code>, <code>aws.cloudtrail.resources.arn</code>).</li>
<li>Monitor CloudTrail logs for <code>AssumeRole</code> events where <code>aws.cloudtrail.user_identity.type</code> is <code>AssumedRole</code>, focusing on unusual or unexpected role combinations.</li>
<li>Implement least privilege policies for all IAM roles, limiting trust policies to only required principals. Periodically review role chaining patterns to validate necessity.</li>
<li>Use the <code>AWS STS Role Chaining</code> Sigma rule to identify potential role chaining attempts and investigate accordingly.</li>
<li>Correlate CloudTrail logs with other security events (e.g., GuardDuty alerts) to identify potential privilege escalation or data exfiltration activities following role chaining.</li>
<li>Enable MFA where possible on <code>AssumeRole</code> operations.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>sts</category><category>role-chaining</category><category>privilege-escalation</category><category>persistence</category></item><item><title>AWS CreateLoginProfile Activity Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-aws-create-login-profile/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-aws-create-login-profile/</guid><description>Detects the creation of AWS IAM login profiles, which can be indicative of new user creation or modifications by potentially malicious actors for privilege escalation or persistence.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the creation of AWS IAM login profiles. While the source material provides limited context, the action itself—creating a login profile—can be a signal of interest. Attackers may create new IAM users or modify existing ones (creating login profiles if they don't exist) to establish persistence, escalate privileges, or move laterally within an AWS environment. Defenders should monitor these activities closely, especially if they deviate from established baselines or involve suspicious actors. The <code>aws_createloginprofile.yml</code> file suggests a detection rule exists within Splunk's security content framework to identify this behavior. Monitoring for this event can help identify potentially malicious activity in AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> (Assumed) The attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed API key (Not documented in source).</li>
<li><strong>Privilege Escalation:</strong> The attacker attempts to escalate their privileges within the AWS environment, either through exploiting misconfigurations or leveraging existing IAM roles (Not documented in source).</li>
<li><strong>IAM Manipulation:</strong> The attacker interacts with the AWS IAM service, specifically targeting user management (Observed - CreateLoginProfile).</li>
<li><strong>Create Login Profile:</strong> The attacker uses the <code>CreateLoginProfile</code> API call to create a login profile for a new or existing IAM user. This provides the user with console access, enabling interactive login.</li>
<li><strong>Persistence:</strong> The attacker leverages the newly created user with console access as a means of persistence within the AWS environment.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the new or modified user to access other AWS resources or services, expanding their control within the environment.</li>
<li><strong>Data Exfiltration / Damage:</strong> (Assumed) The attacker utilizes their access to exfiltrate sensitive data or cause damage to the AWS infrastructure. (Not documented in source).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful creation of a login profile by a malicious actor can lead to unauthorized access to AWS resources, data breaches, and service disruption. Attackers may use these profiles to maintain persistence, escalate privileges, and move laterally within the AWS environment. The number of victims depends on the scope of the attacker's access and the sensitivity of the compromised resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule for <code>AWS CreateLoginProfile Activity</code> to your SIEM and tune for your environment (Reference: <code>aws_createloginprofile.yml</code>).</li>
<li>Investigate any instances of <code>CreateLoginProfile</code> events, especially those performed by unfamiliar IAM entities, to validate legitimacy.</li>
<li>Monitor AWS CloudTrail logs for <code>CreateLoginProfile</code> events to ensure comprehensive visibility into IAM activity.</li>
<li>Enforce multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise (General Security Best Practice).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloud</category><category>iam</category><category>privilege_escalation</category><category>persistence</category></item><item><title>AWS SAML Identity Provider Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-saml-update-identity-provider/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-saml-update-identity-provider/</guid><description>An adversary may attempt to modify the AWS SAML Identity Provider configuration to potentially escalate privileges or disrupt federated access.</description><content:encoded><![CDATA[<p>This brief focuses on the potential modification of AWS SAML Identity Provider (IdP) configurations. While specific threat actors and campaigns are not detailed in the provided source, the action itself is a security concern. An attacker who gains sufficient privileges within an AWS environment might attempt to alter the SAML IdP settings to manipulate user access, potentially granting themselves elevated permissions or disrupting legitimate user authentication. This type of attack impacts cloud security by subverting federated identity management. Defenders should monitor for unexpected changes to SAML configurations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial compromise of an AWS account with sufficient permissions to modify IAM resources (e.g., via compromised credentials or an EC2 instance with an overly permissive role).</li>
<li>The attacker uses the AWS CLI or the AWS Management Console to list existing SAML Identity Providers.</li>
<li>The attacker identifies the target SAML Identity Provider to modify.</li>
<li>The attacker modifies the SAML metadata document associated with the Identity Provider, potentially injecting malicious claims or altering role mappings.</li>
<li>The attacker updates the SAML Identity Provider configuration in AWS IAM with the modified metadata document using the <code>UpdateSAMLIdentityProvider</code> API call.</li>
<li>The attacker tests the modified configuration to ensure it achieves the desired privilege escalation or access disruption.</li>
<li>Legitimate users attempt to authenticate via SAML, potentially receiving incorrect roles/permissions or being denied access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of an AWS SAML Identity Provider can have significant consequences. An attacker could escalate their privileges within the AWS environment, gaining access to sensitive data and resources. They may also disrupt legitimate user access, leading to denial-of-service conditions for federated users. While the scale of impact depends on the scope of the compromised AWS account and the criticality of the federated applications, this attack can severely compromise cloud security.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>saml</category><category>identity-provider</category><category>privilege-escalation</category></item><item><title>AWS KMS Key User Performing S3 Encryption</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/</guid><description>Detection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.</description><content:encoded><![CDATA[<p>This detection focuses on identifying AWS Identity and Access Management (IAM) users who are actively utilizing Key Management Service (KMS) keys to encrypt data within Simple Storage Service (S3) buckets. While not inherently malicious, such activity warrants monitoring as it could signify insider threats, compromised accounts, or unauthorized data handling procedures. Attackers might leverage stolen credentials or compromised IAM roles to encrypt data using KMS, potentially as a precursor to data exfiltration or ransomware-like activity targeting cloud storage. This activity should be considered especially concerning if the KMS keys being used are outside the user's normal operational scope.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role.</li>
<li>The attacker enumerates available S3 buckets and identifies a target bucket containing sensitive data.</li>
<li>The attacker identifies or creates a KMS key within the AWS environment.</li>
<li>The attacker configures the target S3 bucket to use the identified KMS key for encryption of objects stored within it.</li>
<li>The attacker uploads or modifies objects within the S3 bucket, triggering encryption using the KMS key.</li>
<li>The attacker attempts to exfiltrate the encrypted data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized access to sensitive data stored within S3 buckets. Depending on the nature of the data, this could result in financial losses, reputational damage, and legal repercussions. Furthermore, if the attacker controls the KMS key, they could render the data inaccessible, effectively holding it hostage. The impact can vary based on the scope of the compromised data and the attacker's objectives, potentially affecting customer data, intellectual property, or critical business information.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>kms</category><category>s3</category><category>cloud</category><category>encryption</category></item><item><title>AWS IAM Group Deletion Failure</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-aws-iam-group-deletion-failure/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-aws-iam-group-deletion-failure/</guid><description>Detection of a failed attempt to delete an AWS IAM group, which could indicate an attempt to remove audit trails or disrupt security policies.</description><content:encoded><![CDATA[<p>This alert detects a failed attempt to delete an AWS Identity and Access Management (IAM) group. While not inherently malicious, repeated or unusual failures in deleting IAM groups can indicate a potential security incident. An attacker might attempt to delete groups to remove permission boundaries, disrupt access control, or evade detection by deleting audit trails associated with the group. This activity is relevant for organizations heavily reliant on AWS IAM for access management and control. Defenders should investigate the reason for the failure and the identity attempting the deletion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.</li>
<li><strong>Privilege Escalation (Attempt):</strong> The attacker attempts to escalate privileges to gain the necessary permissions to delete IAM groups. This could involve exploiting existing roles or policies.</li>
<li><strong>Reconnaissance:</strong> The attacker enumerates existing IAM groups within the AWS account to identify potential targets for deletion.</li>
<li><strong>IAM Group Deletion Attempt:</strong> The attacker attempts to delete a specific IAM group using the AWS CLI, API calls, or the AWS Management Console.</li>
<li><strong>Deletion Failure:</strong> The deletion attempt fails due to insufficient permissions, resource dependencies, or other IAM constraints.</li>
<li><strong>Retry or Lateral Movement:</strong> The attacker may retry the deletion with different credentials or attempt to move laterally within the AWS environment to gain the necessary permissions.</li>
<li><strong>Persistence (Alternative):</strong> If group deletion fails, attacker may attempt to modify group policies to weaken security posture</li>
<li><strong>Impact (Potential):</strong> Successful group deletion would alter permissions structure of the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A failed IAM group deletion, while not directly causing immediate damage, can signify ongoing malicious activity. If successful, deleting IAM groups can lead to unauthorized access to resources, disruption of services, and potential data breaches. The number of affected users and the severity of the impact depend on the privileges associated with the deleted groups. Targeted sectors include any organization leveraging AWS IAM for identity and access management. A successful attack could lead to significant financial losses and reputational damage.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>cloud</category><category>deletion</category></item><item><title>AWS IAM User Creates Access Keys For Another User</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-iam-access-key-creation/</link><pubDate>Tue, 23 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-iam-access-key-creation/</guid><description>An adversary with access to compromised AWS credentials may attempt to persist or escalate privileges by creating a new set of access keys for an existing IAM user, potentially leading to unauthorized access to resources and data.</description><content:encoded><![CDATA[<p>An adversary with compromised AWS credentials may attempt to persist or escalate privileges by creating new access keys for another IAM user. This activity is detected by monitoring AWS CloudTrail logs for the <code>CreateAccessKey</code> API call, where the calling user (identified by <code>aws.cloudtrail.user_identity.arn</code>) is different from the target user (<code>aws.cloudtrail.request_parameters.userName</code>). The rule focuses on identifying actions that deviate from normal administrative workflows, such as expected credential rotation or account provisioning systems. Successful exploitation allows an attacker to maintain access even if the original compromised credentials are changed and enables lateral movement within the AWS environment, potentially impacting data confidentiality and integrity. This activity aligns with MITRE ATT&amp;CK techniques T1098 (Account Manipulation) and its sub-technique T1098.001 (Additional Cloud Credentials).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to an AWS account using compromised credentials (e.g., leaked access keys or credentials obtained through phishing).</li>
<li>The attacker authenticates to the AWS environment using the compromised credentials, leveraging the AWS CLI or API.</li>
<li>The attacker identifies a target IAM user for persistence or privilege escalation.</li>
<li>The attacker invokes the <code>CreateAccessKey</code> API call, specifying the target IAM user's username in the <code>aws.cloudtrail.request_parameters.userName</code> field, while using the compromised credentials in the <code>aws.cloudtrail.user_identity.arn</code> to authenticate.</li>
<li>AWS IAM service processes the <code>CreateAccessKey</code> request and generates a new access key ID and secret access key pair for the target user.</li>
<li>The attacker retrieves the new access key ID (<code>aws.cloudtrail.response_elements.accessKey.accessKeyId</code>) and secret access key from the API response.</li>
<li>The attacker uses the newly created access keys to authenticate as the target user and perform unauthorized actions, such as accessing S3 buckets or launching EC2 instances.</li>
<li>The attacker maintains persistent access to the AWS environment, even if the original compromised credentials are rotated or revoked.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to maintain persistent access to the AWS environment. The attacker can then perform unauthorized actions as the target user, potentially leading to data breaches, resource hijacking, and service disruption. Depending on the privileges associated with the target IAM user, the attacker could escalate privileges, access sensitive data stored in S3 buckets, or launch malicious EC2 instances. The impact is highly dependent on the permissions assigned to the compromised IAM user, the level of access achieved, and the sensitivity of the data and resources involved.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rules to your SIEM to detect suspicious IAM access key creation events. Tune the rules based on your environment and expected administrative activity.</li>
<li>Monitor AWS CloudTrail logs for <code>CreateAccessKey</code> API calls where the calling user differs from the target user (identified by <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.request_parameters.userName</code> respectively).</li>
<li>Implement least-privilege IAM policies to limit the ability of users to create access keys for other users.</li>
<li>Enforce multi-factor authentication (MFA) for all IAM users, especially those with administrative privileges.</li>
<li>Review and audit IAM policies regularly to ensure they adhere to the principle of least privilege.</li>
<li>Follow the guidance in the AWS IR Playbooks for Credential Compromise and IAM Misuse for incident response procedures.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>iam</category><category>persistence</category><category>privilege-escalation</category></item><item><title>AWS Virtual MFA Device Registration Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-virtual-mfa/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-virtual-mfa/</guid><description>An adversary attempts to register a virtual MFA device to an AWS account, potentially leading to account takeover and unauthorized access to resources.</description><content:encoded><![CDATA[<p>This threat brief focuses on the potential for an adversary to register a virtual Multi-Factor Authentication (MFA) device with an AWS account they have compromised, or are attempting to compromise. While the source document is merely a pointer to a detection rule repository and not a threat advisory, the capability to monitor for virtual MFA registration can alert on account takeover attempts. Attackers can leverage compromised credentials or other vulnerabilities to gain initial access, then attempt to add their own MFA device, bypassing existing security controls and establishing persistent access. This action allows the attacker to control the account even if the original password is changed or other security measures are put in place. Early detection of this behavior is crucial to preventing further damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to AWS account credentials through phishing, credential stuffing, or other means.</li>
<li><strong>Login Attempt:</strong> The attacker attempts to log into the AWS Management Console or uses the AWS CLI with the compromised credentials.</li>
<li><strong>Verification Check:</strong> The system prompts for MFA if enabled for the user. If not enabled, the attacker proceeds to enable it.</li>
<li><strong>Register MFA:</strong> The attacker initiates the process of registering a new virtual MFA device within the AWS IAM settings.</li>
<li><strong>QR Code/Secret Key Retrieval:</strong> The attacker retrieves the QR code or secret key required to activate the virtual MFA device on their own device.</li>
<li><strong>Virtual MFA Activation:</strong> The attacker uses an authenticator app (e.g., Google Authenticator, Authy) to scan the QR code or manually enters the secret key, generating a time-based one-time password (TOTP).</li>
<li><strong>MFA Verification:</strong> The attacker enters the TOTP into the AWS console to successfully register the virtual MFA device.</li>
<li><strong>Persistence:</strong> The attacker now has persistent access to the AWS account, bypassing original MFA configuration and maintains access even if the password changes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful registration of a rogue virtual MFA device grants the attacker persistent access to the AWS account. This can lead to unauthorized access to sensitive data, modification of AWS resources, deployment of malicious workloads, or even complete account takeover, resulting in significant financial loss, data breaches, and reputational damage. Organizations in all sectors that rely on AWS infrastructure are vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;Detect AWS Virtual MFA Device Registration&quot; to your SIEM and tune for your environment to alert on successful registrations.</li>
<li>Monitor AWS CloudTrail logs for <code>CreateVirtualMFADevice</code> events to detect the creation of new virtual MFA devices (reference log source in Sigma rule).</li>
<li>Investigate any alerts generated by the Sigma rule by validating the source IP addresses and user agents associated with MFA device registration attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>persistence</category><category>mfa</category><category>account_takeover</category></item><item><title>AWS SAML Identity Provider Update Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-saml-update/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-saml-update/</guid><description>Detection of unauthorized updates to AWS SAML identity providers using CloudTrail logs, potentially indicating compromised federated credentials and unauthorized access.</description><content:encoded><![CDATA[<p>This brief focuses on detecting unauthorized modifications to SAML identity providers within Amazon Web Services (AWS). The technique leverages the <code>UpdateSAMLProvider</code> API call captured in AWS CloudTrail logs. Threat actors may target SAML configurations to establish persistence, bypass multi-factor authentication (MFA), and gain privileged access to cloud resources. The update of a SAML provider, when unauthorized, signifies a high-risk event, potentially leading to the compromise of federated identities and subsequent data breaches. This activity is particularly concerning given the increasing reliance on federated identity for accessing cloud environments and the potential for widespread impact following a successful breach. This brief provides detection rules and recommendations to identify and mitigate this threat.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker compromises an AWS account with sufficient privileges to modify SAML identity providers. This might involve exploiting a vulnerability, using stolen credentials, or through social engineering.</li>
<li><strong>Privilege Escalation (If Needed):</strong> The compromised account may require privilege escalation to gain the necessary permissions to modify the SAML provider.</li>
<li><strong>Discovery:</strong> The attacker enumerates existing SAML identity providers in the AWS environment to identify a target for modification.</li>
<li><strong>Credential Access:</strong> The attacker modifies the SAML provider configuration to inject malicious assertions or redirect authentication to an attacker-controlled endpoint (Golden SAML).</li>
<li><strong>Persistence:</strong> By modifying the SAML provider, the attacker establishes a persistent backdoor, allowing them to authenticate as any user within the federated domain.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the forged SAML assertions to move laterally within the AWS environment, accessing resources and services under the guise of legitimate users.</li>
<li><strong>Data Exfiltration / Impact:</strong> The attacker accesses sensitive data, compromises critical systems, or disrupts services based on the compromised federated identities.</li>
<li><strong>Covering Tracks:</strong> The attacker may attempt to disable or modify CloudTrail logs to hide their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of a SAML identity provider can have severe consequences, potentially affecting all users and resources that rely on the compromised provider. This can lead to unauthorized access to sensitive data, disruption of critical services, and significant financial losses. The impact can extend beyond the immediate breach, potentially affecting downstream systems and partner organizations that rely on the compromised AWS environment. The CISA alert AA21-008A highlights the risks associated with Golden SAML attacks, underscoring the importance of detecting and preventing such activity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>AWS SAML Provider Updated</code> to detect unauthorized modifications to SAML identity providers by monitoring <code>UpdateSAMLProvider</code> events in CloudTrail logs.</li>
<li>Investigate any detected <code>UpdateSAMLProvider</code> events for unexpected source IP addresses, user agents, or IAM roles. Correlate with other security events to identify potentially compromised accounts.</li>
<li>Implement strict access controls and multi-factor authentication (MFA) for all IAM users and roles, particularly those with permissions to manage SAML identity providers.</li>
<li>Regularly review and audit SAML identity provider configurations for any unauthorized changes or suspicious activity.</li>
<li>Monitor for suspicious activity originating from the source IP addresses identified in the detection rule (<code>src_endpoint.ip</code>).</li>
<li>Enable and monitor AWS CloudTrail logs for all AWS accounts and regions to ensure comprehensive logging of API activity.</li>
<li>Use the provided drilldown searches to investigate detection results for specific users.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>saml</category><category>identity-federation</category><category>cloud</category></item><item><title>AWS User Login Profile Update by Different User</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-login-profile-update/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-login-profile-update/</guid><description>A user updating the login profile of another user in AWS CloudTrail logs may indicate privilege escalation attempts.</description><content:encoded><![CDATA[<p>This activity monitors AWS CloudTrail logs for instances where a user updates the login profile of another user. The detection identifies UpdateLoginProfile events where the user making the change (userIdentity.userName) differs from the user whose profile is being updated (requestParameters.userName). This is critical for defenders because it might signify malicious activity, such as privilege escalation. Attackers might attempt to use compromised or lower-privilege accounts to modify the login profiles of higher-privilege accounts, potentially leading to unauthorized access and control within the AWS environment. This activity is detectable in AWS CloudTrail logs and requires the AWS add-on for Splunk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, possibly through credential compromise or other means.</li>
<li>The attacker identifies a target user account with higher privileges or valuable access rights.</li>
<li>The attacker uses the compromised account to execute the &quot;UpdateLoginProfile&quot; AWS API call.</li>
<li>In the UpdateLoginProfile request, the attacker specifies the target user's username (requestParameters.userName) but uses the compromised account's credentials (userIdentity.userName).</li>
<li>The AWS CloudTrail logs record the UpdateLoginProfile event, capturing the discrepancy between the user making the request and the user whose profile is being modified.</li>
<li>Successful modification of the login profile allows the attacker to reset passwords, change MFA settings, or otherwise control the target user's account.</li>
<li>The attacker leverages the now-compromised higher-privilege account to access sensitive data or resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to privilege escalation, where an attacker gains unauthorized access and control over critical AWS resources. This could result in data breaches, service disruption, or financial loss. The exact impact depends on the privileges associated with the compromised target account. Organizations using AWS are vulnerable if their IAM policies are not correctly configured or if user accounts are compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS Login Profile Update by Different User</code> to your SIEM and tune for your environment to detect suspicious UpdateLoginProfile events.</li>
<li>Investigate any alerts generated by the <code>AWS Login Profile Update by Different User</code> Sigma rule, focusing on the user accounts involved and the source of the API call.</li>
<li>Review IAM policies to ensure least privilege and restrict the ability of users to modify other users' login profiles.</li>
<li>Monitor AWS CloudTrail logs for any unusual or unauthorized API calls related to IAM or user management.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>iam</category><category>privilege-escalation</category></item><item><title>AWS Multi-Factor Authentication Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-mfa-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-mfa-disabled/</guid><description>Detection of AWS Multi-Factor Authentication (MFA) being disabled for an IAM user, indicating potential weakening of account security and persistence attempts.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential for attackers to disable Multi-Factor Authentication (MFA) on AWS IAM accounts. The activity is detected through AWS CloudTrail logs by monitoring for <code>DeleteVirtualMFADevice</code> or <code>DeactivateMFADevice</code> events. This activity, while potentially legitimate, is a critical indicator of compromise because disabling MFA significantly reduces the security posture of an AWS account. An attacker with compromised credentials might disable MFA to establish persistence and retain unauthorized access to AWS resources. Successfully disabling MFA allows attackers to move laterally within the AWS environment and conduct malicious activities without triggering MFA-based security controls. This is particularly concerning if the affected account has privileged access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS IAM user's credentials, potentially through credential stuffing or phishing.</li>
<li>The attacker authenticates to the AWS Management Console or via the AWS CLI using the compromised credentials.</li>
<li>The attacker identifies that MFA is enabled on the compromised account.</li>
<li>The attacker initiates the <code>DeactivateMFADevice</code> API call to remove the MFA association from the user account.</li>
<li>Alternatively, the attacker initiates the <code>DeleteVirtualMFADevice</code> API call to delete the virtual MFA device.</li>
<li>AWS CloudTrail logs the <code>DeactivateMFADevice</code> or <code>DeleteVirtualMFADevice</code> event.</li>
<li>With MFA disabled, the attacker maintains persistent access to the AWS environment.</li>
<li>The attacker performs unauthorized actions, such as data exfiltration, resource modification, or lateral movement, without MFA protection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful disabling of MFA on an AWS IAM account can lead to significant security breaches. The attacker gains persistent access to the AWS environment, enabling data exfiltration, unauthorized resource modification, and lateral movement. This can result in data loss, service disruption, and financial damages. The impact is amplified if the compromised account has administrative privileges, potentially affecting critical AWS services and resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS MFA Deactivation</code> to your SIEM and tune for your environment.</li>
<li>Enable AWS CloudTrail logging and ensure logs are being ingested into your SIEM to detect the events described in this brief.</li>
<li>Investigate any instances of <code>DeleteVirtualMFADevice</code> or <code>DeactivateMFADevice</code> events in AWS CloudTrail to determine if they are legitimate administrative actions.</li>
<li>Implement strict MFA enforcement policies and regularly audit MFA status across all IAM users to prevent unauthorized disabling of MFA.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>mfa</category><category>iam</category><category>persistence</category></item><item><title>AWS Login Profile Creation Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-login-profile-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-login-profile-creation/</guid><description>Monitoring AWS login profile creation events can help identify potentially malicious user or role creation activities within an AWS environment.</description><content:encoded><![CDATA[<p>The creation of AWS login profiles is a fundamental administrative action, but it can also be exploited by malicious actors to establish persistent access or escalate privileges within an AWS environment. Monitoring these events allows security teams to detect suspicious or unauthorized activities related to user and role management. Understanding who is creating these profiles and under what circumstances can provide valuable insights into the security posture of the AWS environment. This activity is important for defenders to monitor, as attackers will attempt to persist and escalate privileges in the cloud environment to conduct further attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role (T1078).</li>
<li>The attacker leverages existing AWS CLI or SDK tools to interact with the AWS environment.</li>
<li>The attacker calls the <code>CreateLoginProfile</code> API to create a new user login profile using the compromised or misused credentials or role (T1098).</li>
<li>The attacker configures password policies or other settings for the newly created user, ensuring continued access (T1543).</li>
<li>The newly created user is then used to perform reconnaissance activities, such as listing resources, identifying sensitive data stores, or mapping network configurations.</li>
<li>Privilege escalation is attempted by assigning the new user to groups or roles with broader permissions.</li>
<li>Sensitive data is accessed, exfiltrated, or manipulated using the newly escalated privileges (TA0009).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via unauthorized login profile creation can lead to significant data breaches, service disruption, and reputational damage. The impact ranges from unauthorized access to sensitive data and resources to the complete compromise of the AWS environment, depending on the permissions granted to the newly created or modified user accounts.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>cloud</category><category>privilege-escalation</category></item><item><title>AWS IAM Policy Version Created Allowing Access to All Resources</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-policy-all-resources/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-policy-all-resources/</guid><description>An AWS IAM policy version allowing access to all resources has been created, potentially leading to privilege escalation and unauthorized actions.</description><content:encoded><![CDATA[<p>This alert identifies the creation of a new AWS IAM policy version that grants broad permissions to all resources. The detection focuses on AWS CloudTrail logs and specifically looks for <code>CreatePolicyVersion</code> events where the associated policy document includes statements that allow all actions (<code>&quot;Action&quot;: &quot;*&quot;</code>) on all resources (<code>&quot;Resource&quot;: &quot;*&quot;</code>) within an AWS environment. This activity is concerning because it violates the principle of least privilege, significantly increasing the risk of unauthorized access and abuse. While AWS admins might create such policies legitimately, it is strongly advised against, and the activity must be verified.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an AWS account or obtains valid credentials.</li>
<li>The attacker authenticates to the AWS Management Console or uses the AWS CLI with the compromised credentials.</li>
<li>The attacker uses the <code>CreatePolicyVersion</code> API call to create a new version of an existing IAM policy.</li>
<li>The policy document included in the <code>CreatePolicyVersion</code> API call specifies <code>Action: &quot;*&quot;</code> and <code>Resource: &quot;*&quot;</code> effectively granting all permissions on all resources.</li>
<li>The attacker attaches the modified IAM policy to a user, group, or role.</li>
<li>The user, group, or role now has excessive permissions, allowing them to perform actions they were not previously authorized to do.</li>
<li>The attacker leverages these elevated privileges to perform unauthorized actions, such as accessing sensitive data, modifying critical infrastructure, or launching new resources.</li>
<li>The attacker may further escalate privileges or move laterally within the AWS environment, compromising additional resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an attacker to gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. The principle of least privilege is violated, potentially exposing the environment to misuse or abuse. The scope of the impact depends on the level of access granted by the overly permissive policy. It could lead to complete compromise of the AWS environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS IAM Policy Allows All Actions on All Resources</code> to detect the creation of overly permissive IAM policies based on CloudTrail logs.</li>
<li>Review all instances flagged by the Sigma rule and verify the legitimacy of the policy changes.</li>
<li>Implement IAM Access Analyzer to identify existing IAM policies that grant overly broad access (reference: AWS documentation).</li>
<li>Enforce the principle of least privilege by granting only the permissions required to perform specific tasks (reference: AWS documentation).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>privilege-escalation</category><category>cloudtrail</category></item><item><title>AWS IAM Policy Default Version Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-setdefaultpolicyversion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-setdefaultpolicyversion/</guid><description>An adversary may set a default policy version in AWS IAM to potentially escalate privileges, especially if previous policy versions granted broader permissions, leading to unauthorized access and data breaches.</description><content:encoded><![CDATA[<p>This brief focuses on the potential misuse of the <code>SetDefaultPolicyVersion</code> API call within AWS Identity and Access Management (IAM). An attacker who has already gained initial access to an AWS account might attempt to manipulate IAM policies to elevate their privileges. By setting a default policy version, the attacker may revert to a previous, more permissive version of the policy, effectively granting themselves broader access than intended. The activity is detected via CloudTrail logs, specifically looking for the <code>SetDefaultPolicyVersion</code> event sourced from <code>iam.amazonaws.com</code>. Successful exploitation can lead to significant data breaches and unauthorized resource access within the AWS environment. This technique is relevant for all AWS environments and requires careful monitoring of IAM activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an AWS account, possibly through compromised credentials or a vulnerability in an application with IAM roles.</li>
<li>The attacker enumerates existing IAM policies to identify potential targets for manipulation.</li>
<li>The attacker identifies policy versions with more permissive settings than the currently active version.</li>
<li>The attacker calls the <code>SetDefaultPolicyVersion</code> API to revert to a previous policy version with the broader permissions. The event <code>SetDefaultPolicyVersion</code> is logged in CloudTrail.</li>
<li>The attacker attempts to perform actions that were previously unauthorized but are now permitted due to the changed policy version.</li>
<li>The attacker exploits the elevated privileges to access sensitive data stored in S3 buckets, databases, or other AWS resources.</li>
<li>The attacker exfiltrates the stolen data to an external location.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to unauthorized access to sensitive data, potentially impacting thousands or millions of users depending on the organization's data storage practices. Industries like finance, healthcare, and government are particularly at risk due to the sensitive nature of their data. The attacker can also use the elevated privileges to disrupt services, modify configurations, or deploy malicious infrastructure within the compromised AWS environment. The damage can range from data breaches and financial losses to reputational damage and compliance violations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS IAM Policy Default Version Change</code> to your SIEM and tune for your environment to detect suspicious activity (logsource: <code>aws:cloudtrail</code>, eventName: <code>SetDefaultPolicyVersion</code>).</li>
<li>Investigate any instances of <code>SetDefaultPolicyVersion</code> where the user is not a designated IAM administrator.</li>
<li>Review the policy versions being set as default to ensure they adhere to the principle of least privilege.</li>
<li>Implement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise (T1078.004).</li>
<li>Enable and monitor AWS CloudTrail logs for IAM-related events to provide visibility into policy changes.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>privilege-escalation</category><category>defense-evasion</category></item><item><title>AWS IAM MFA Device Deactivation</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-iam-mfa-deactivation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-iam-mfa-deactivation/</guid><description>Detection of AWS IAM MFA device deactivation via the `DeactivateMFADevice` API call, which could indicate an attempt to weaken account protections for privilege escalation or persistence.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of Multi-Factor Authentication (MFA) device deactivation within AWS Identity and Access Management (IAM). Adversaries, or compromised administrators, may attempt to deactivate MFA devices to weaken account protections, disable strong authentication, and potentially escalate privileges or establish persistence within the AWS environment. The detection strategy hinges on monitoring successful <code>DeactivateMFADevice</code> API calls, which represent the event when MFA protection is actively removed from an IAM user. Successful deactivation of MFA makes an AWS account more vulnerable to credential theft and unauthorized access, especially for privileged accounts. Defenders need to be aware of legitimate MFA deactivation events like device rotation or user offboarding, which can cause false positives.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial compromise of an IAM user's credentials through phishing or credential stuffing.</li>
<li>Attacker logs into the AWS environment using compromised credentials.</li>
<li>Attacker enumerates MFA devices associated with the target IAM user by using API calls like <code>ListMFADevices</code>.</li>
<li>Attacker calls <code>DeactivateMFADevice</code> to remove the MFA requirement for the targeted user.</li>
<li>The AWS IAM service processes the <code>DeactivateMFADevice</code> request and, if authorized based on the attacker's privileges, removes the MFA association.</li>
<li>Attacker may then create new access keys (<code>CreateAccessKey</code>) or modify IAM policies (<code>AttachUserPolicy</code>) to further their access.</li>
<li>Attacker accesses sensitive AWS resources, such as S3 buckets or EC2 instances, without MFA.</li>
<li>Attacker establishes persistence by creating backdoors or modifying IAM roles to maintain access after the initial compromise is detected.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful MFA deactivation can lead to unauthorized access to sensitive data, service disruption, or complete account takeover. The impact is magnified when privileged accounts are targeted. The lack of MFA significantly reduces the security posture of the affected AWS account, making it easier for attackers to move laterally within the AWS environment and exfiltrate data. Organizations relying heavily on AWS services could face significant financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS IAM MFA Deactivation</code> to detect successful <code>DeactivateMFADevice</code> API calls (see rule below).</li>
<li>Investigate any detected <code>DeactivateMFADevice</code> events by reviewing <code>aws.cloudtrail.user_identity.arn</code> and <code>source.ip</code> to determine the initiator and origin.</li>
<li>Enable AWS CloudTrail logging and monitor for IAM configuration changes, focusing on events related to MFA device management.</li>
<li>Enforce MFA for all IAM users, particularly those with elevated privileges, using service control policies (SCPs).</li>
<li>Implement automated alerts for unusual IAM activity, such as MFA deactivation outside of business hours or from unfamiliar IP addresses.</li>
<li>Review CloudTrail logs for related API calls like <code>ListMFADevices</code>, <code>CreateAccessKey</code>, or <code>AttachUserPolicy</code> following the <code>DeactivateMFADevice</code> event.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>mfa</category><category>deactivation</category><category>cloudtrail</category></item><item><title>AWS IAM Default Policy Version Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-iam-policy-version/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-iam-policy-version/</guid><description>An adversary modifies the default version of an AWS IAM policy, potentially downgrading security or disrupting access control.</description><content:encoded><![CDATA[<p>The modification of the default AWS IAM policy version can be an indicator of malicious activity, potentially performed by an insider threat or an attacker who has gained unauthorized access to an AWS account. While the provided source material lacks specific details on observed campaigns, the ability to modify the default policy version allows for subtle changes to permissions that may go unnoticed. An attacker could revert to a less restrictive version of a policy or introduce a new, permissive version as the default, thereby weakening the security posture of the AWS environment. This can facilitate privilege escalation, data exfiltration, or other malicious activities. Detecting such modifications is crucial for maintaining the integrity and security of AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to AWS Management Console or uses compromised AWS CLI credentials.</li>
<li>Attacker identifies a target IAM policy to modify, querying IAM policies to find a suitable target.</li>
<li>Attacker retrieves the current default policy version ARN using AWS API calls.</li>
<li>Attacker crafts a modified IAM policy version with reduced permissions or unintended access.</li>
<li>Attacker creates a new IAM policy version using the AWS API, while keeping the original intact.</li>
<li>Attacker uses the <code>aws iam set-default-policy-version</code> command to set the newly crafted policy version as the default.</li>
<li>Legitimate users or services relying on the IAM policy now operate under the modified (potentially weakened) permissions.</li>
<li>Attacker leverages the broadened permissions for lateral movement, data access, or other malicious objectives.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of the default IAM policy version can lead to privilege escalation, unauthorized access to sensitive data, and potential disruption of services relying on the affected policy. The impact depends on the scope of the policy and the permissions altered. A successful attack can affect multiple AWS services and resources governed by the modified policy. The change can be subtle and persist for a long time if not detected, leading to significant data breaches or service outages.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>policy</category></item><item><title>AWS Account Console Login Without MFA</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-single-factor-auth/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-single-factor-auth/</guid><description>Detection of successful AWS console login events without multi-factor authentication (MFA) enabled, potentially indicating misconfiguration, policy violation, or account compromise.</description><content:encoded><![CDATA[<p>This brief focuses on detecting successful AWS console logins that bypass multi-factor authentication (MFA). The absence of MFA during console login attempts is flagged using AWS CloudTrail logs. This activity is a red flag because it can indicate a misconfiguration in AWS IAM settings, a violation of security policies, or an active account takeover attempt. An attacker who successfully breaches an AWS account without MFA can potentially escalate privileges, exfiltrate sensitive data, or manipulate cloud resources, leading to significant business disruption. The detection leverages the <code>aws:cloudtrail</code> sourcetype.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to an AWS account's username and password through credential harvesting (T1586.003) or other means.</li>
<li>Login Attempt: The attacker attempts to log in to the AWS Management Console using the compromised credentials.</li>
<li>MFA Bypass: If MFA is not enforced for the account, the attacker successfully logs in without providing a second factor.</li>
<li>Privilege Escalation: The attacker attempts to escalate privileges within the AWS environment by exploiting misconfigured IAM roles or policies.</li>
<li>Resource Access: The attacker accesses sensitive AWS resources, such as S3 buckets, EC2 instances, or databases.</li>
<li>Data Exfiltration: The attacker exfiltrates sensitive data from compromised AWS resources to an external location.</li>
<li>Resource Manipulation: The attacker modifies or deletes AWS resources, causing disruption or damage to the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful AWS account compromise due to the absence of MFA can have severe consequences. These include unauthorized access to sensitive data, potential data exfiltration, resource manipulation, and significant financial losses. The impact can extend to compliance violations, reputational damage, and disruption of critical business operations. The analytic story &quot;AWS Identity and Access Management Account Takeover&quot; highlights this threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and enforce MFA for all AWS IAM users to mitigate the risk of account compromise (reference: <a href="https://aws.amazon.com/what-is/mfa/)">https://aws.amazon.com/what-is/mfa/)</a>.</li>
<li>Deploy the Sigma rule <code>AWS Console Login Without MFA</code> to detect successful console logins without MFA based on AWS CloudTrail logs.</li>
<li>Investigate any detected instances of successful single-factor authentication to determine the legitimacy of the login attempt.</li>
<li>Review and strengthen AWS IAM policies to minimize the potential for privilege escalation (related to T1078.004).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloud</category><category>iam</category><category>authentication</category><category>account-takeover</category></item><item><title>AWS Account Compromise via New MFA Registration</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-new-mfa/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-new-mfa/</guid><description>An adversary may register a new Multi-Factor Authentication (MFA) method for an AWS account using the `CreateVirtualMFADevice` event in AWS CloudTrail logs to maintain persistence and evade detection in a compromised AWS account.</description><content:encoded><![CDATA[<p>This threat brief focuses on the potential for adversaries to register new MFA methods in compromised AWS accounts to maintain persistent access and evade detection. The technique involves leveraging the <code>CreateVirtualMFADevice</code> event logged by AWS CloudTrail. An attacker who has gained initial access to an AWS account can register a new MFA device, effectively locking out legitimate users and securing their own access to the environment. This activity is critical because it allows attackers to maintain a foothold, making subsequent unauthorized activities more difficult to detect and remediate. This can lead to data breaches, resource hijacking, and other malicious activities. The scope of targeting includes any AWS account without adequate MFA monitoring and alerting in place.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to an AWS account through compromised credentials (e.g., stolen passwords or leaked API keys).</li>
<li><strong>Privilege Escalation (if needed):</strong> The attacker escalates privileges within the AWS account to obtain the necessary permissions to create MFA devices.</li>
<li><strong>Identify Target User:</strong> The attacker identifies a user account (potentially an administrator account) to associate the new MFA device with.</li>
<li><strong>Create Virtual MFA Device:</strong> The attacker invokes the <code>CreateVirtualMFADevice</code> API call to create a new virtual MFA device.</li>
<li><strong>Associate MFA Device:</strong> The attacker associates the newly created virtual MFA device with the target user account.</li>
<li><strong>Activate MFA Device:</strong> The attacker activates the virtual MFA device using the activation code.</li>
<li><strong>Persistence:</strong> With the new MFA device activated, the attacker now has persistent access to the AWS account, even if the original compromised credentials are revoked.</li>
<li><strong>Lateral Movement/Data Exfiltration:</strong> Using the persistent access, the attacker moves laterally within the AWS environment, accesses sensitive data, and potentially exfiltrates it.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised AWS accounts can lead to significant data breaches, denial of service, and financial losses. If an attacker successfully registers a new MFA device, they can effectively lock out legitimate users and maintain persistent access. This can lead to the exfiltration of sensitive data, modification or deletion of critical resources, and the deployment of malicious workloads. The impact is especially high for organizations that rely heavily on AWS for their infrastructure and services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS New Virtual MFA Device Creation</code> to detect the <code>CreateVirtualMFADevice</code> event in AWS CloudTrail logs.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to the user, source IP address, and user agent associated with the event.</li>
<li>Implement multi-factor authentication (MFA) for all AWS users, especially those with administrative privileges, as described in the AWS documentation.</li>
<li>Monitor AWS CloudTrail logs for other suspicious activities, such as unusual API calls or unauthorized access attempts.</li>
<li>Review and enforce least privilege access controls to limit the impact of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>mfa</category><category>persistence</category></item><item><title>Detection of Public AWS S3 Bucket Creation via CLI</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-s3-public-bucket/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-s3-public-bucket/</guid><description>An AWS user creates a publicly accessible S3 bucket by using the AWS CLI to set permissive ACLs, potentially leading to unauthorized data access and data breaches.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of publicly accessible Amazon S3 buckets created via the AWS Command Line Interface (CLI). The creation of public S3 buckets is a common security misconfiguration that can lead to sensitive data exposure. This activity is detected by analyzing AWS CloudTrail logs for <code>PutBucketAcl</code> events where the bucket's access control list (ACL) is configured to grant read, write, or full control to &quot;AuthenticatedUsers&quot; or &quot;AllUsers.&quot; This activity is particularly important to monitor because it represents a direct path for unauthorized access to data stored within the S3 bucket. The detection logic is based on the Splunk Security Content analytic &quot;Detect New Open S3 Buckets over AWS CLI&quot; (version 9, published April 15, 2026). Successfully exploited public buckets can lead to data exfiltration, data corruption, or other malicious activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to valid AWS credentials, potentially through compromised user accounts or leaked API keys.</li>
<li>The attacker uses the AWS CLI to create a new S3 bucket using the <code>aws s3api create-bucket</code> command.</li>
<li>The attacker then uses the <code>aws s3api put-bucket-acl</code> command to modify the bucket's Access Control List (ACL).</li>
<li>In the <code>put-bucket-acl</code> command, the attacker sets permissions to grant read, write, or full control to &quot;AuthenticatedUsers&quot; or &quot;AllUsers&quot; by manipulating the <code>x-amz-grant-read</code>, <code>x-amz-grant-write</code>, and <code>x-amz-grant-full-control</code> parameters.</li>
<li>AWS CloudTrail logs the <code>PutBucketAcl</code> event, capturing details of the user, bucket name, and ACL configuration.</li>
<li>The attacker uploads sensitive data to the newly created, publicly accessible S3 bucket.</li>
<li>Unauthorized users or automated bots discover the public S3 bucket and access the exposed data.</li>
<li>The attacker exfiltrates the publicly available data, or modifies/corrupts data within the bucket.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Creation of publicly accessible S3 buckets can lead to severe data breaches. Unauthorized access to sensitive data stored in these buckets can result in financial loss, reputational damage, and legal liabilities. The number of affected individuals or organizations can vary widely, depending on the type and amount of data exposed. Public buckets can be indexed by search engines, further increasing the risk of unauthorized access. Data exfiltration or corruption can severely disrupt business operations and erode customer trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Public AWS S3 Bucket Creation via CLI&quot; to your SIEM and tune for your environment to detect the described activity based on CloudTrail logs.</li>
<li>Review and harden IAM policies to restrict the ability of users and roles to modify S3 bucket ACLs, preventing unintended public access.</li>
<li>Regularly audit existing S3 buckets to identify and remediate any publicly accessible buckets, using AWS Trusted Advisor or similar tools.</li>
<li>Implement automated monitoring and alerting for S3 bucket ACL changes using AWS CloudWatch Events and Lambda functions.</li>
<li>Enforce the principle of least privilege by granting only necessary permissions to users and roles, minimizing the risk of accidental or malicious misconfiguration.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>cloudtrail</category><category>misconfiguration</category><category>data-breach</category></item></channel></rss>