{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ec2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2"],"_cs_severities":["high"],"_cs_tags":["attack.privilege-escalation","attack.initial-access","attack.persistence","attack.stealth","attack.t1078","attack.t1078.002"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis activity focuses on the potential misuse of AWS Instance Metadata Service (IMDS) credentials. When an EC2 instance is compromised, an attacker can extract the temporary credentials stored within the IMDS. These credentials, associated with an assumed role, grant the attacker the ability to interact with other AWS services. The abnormal use of these credentials outside of the expected AWS Simple Systems Manager (SSM) service may indicate malicious activity such as lateral movement, data exfiltration, or resource compromise. This is particularly concerning when the compromised instance is being used as a pivot point to access other AWS resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn EC2 instance is compromised through an initial access vector (e.g., software vulnerability, misconfiguration, or credential compromise).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the compromised EC2 instance\u0026rsquo;s operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) to obtain temporary AWS credentials associated with the instance\u0026rsquo;s IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their local AWS CLI or SDK with the exfiltrated credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform actions against other AWS services using the exfiltrated credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access, modify, or exfiltrate sensitive data from other AWS services.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by creating new IAM users or roles with excessive permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data stored in AWS services such as S3, DynamoDB, and RDS. This could result in data breaches, financial loss, and reputational damage. Attackers can also leverage the compromised credentials to pivot to other AWS resources, potentially impacting critical infrastructure and services. Organizations with lax security configurations and overly permissive IAM roles are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect anomalous use of IMDS credentials.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM roles assigned to EC2 instances to follow the principle of least privilege, limiting the scope of potential damage from credential exfiltration.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual API calls originating from EC2 instances with assumed roles, specifically those not related to SSM.\u003c/li\u003e\n\u003cli\u003eHarden EC2 instances to prevent initial compromise by applying security patches, configuring strong authentication, and regularly scanning for vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-11T00:00:00Z","date_published":"2024-07-11T00:00:00Z","id":"/briefs/2024-07-aws-imds-abuse/","summary":"Compromised EC2 instances may be leveraged to exfiltrate and misuse AWS Instance Metadata Service (IMDS) credentials to perform actions outside of the expected AWS Simple Systems Manager (SSM) service, indicating potential lateral movement or data exfiltration.","title":"Malicious Usage of AWS IMDS Credentials Outside of Expected Services","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-imds-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2"],"_cs_severities":["high"],"_cs_tags":["aws","ec2","user-data","privilege-escalation","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the \u003ccode\u003euserData\u003c/code\u003e attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of \u003ccode\u003eStopInstances\u003c/code\u003e, \u003ccode\u003eStartInstances\u003c/code\u003e, and \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events that reference \u003ccode\u003euserData\u003c/code\u003e within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e API call to update the \u003ccode\u003euserData\u003c/code\u003e attribute of the target instance, injecting malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStopInstances\u003c/code\u003e API call to stop the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStartInstances\u003c/code\u003e API call to start the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eUpon instance start, the modified \u003ccode\u003euserData\u003c/code\u003e script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events with \u003ccode\u003euserData\u003c/code\u003e to identify potentially malicious modifications.\u003c/li\u003e\n\u003cli\u003eMonitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.\u003c/li\u003e\n\u003cli\u003eImplement least privilege IAM policies to restrict access to EC2 management APIs.\u003c/li\u003e\n\u003cli\u003eUse AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in \u003ccode\u003euserData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and correlate them with other security events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-ec2-user-data-modification/","summary":"Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.","title":"AWS EC2 Stop, Start, and User Data Modification Correlation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-user-data-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2","AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["aws","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the potential for privilege escalation and lateral movement within Amazon Web Services (AWS) environments by abusing the ability to associate or replace IAM instance profiles on running EC2 instances. An attacker with the necessary permissions (\u003ccode\u003eec2:AssociateIamInstanceProfile\u003c/code\u003e or \u003ccode\u003eec2:ReplaceIamInstanceProfile\u003c/code\u003e and typically \u003ccode\u003eiam:PassRole\u003c/code\u003e) can elevate the privileges of a compromised EC2 instance. This is achieved by attaching a more privileged IAM role to the instance, granting the attacker access to resources and permissions beyond their initial scope. The event is logged in AWS CloudTrail, providing a critical detection opportunity for security teams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a running EC2 instance with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies or creates a more privileged IAM role that grants broader access to AWS resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssociateIamInstanceProfile\u003c/code\u003e or \u003ccode\u003eReplaceIamInstanceProfile\u003c/code\u003e API calls to associate the privileged IAM role with the target EC2 instance. This requires appropriate IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe EC2 instance\u0026rsquo;s metadata service now provides credentials for the newly associated IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data or resources, potentially including other EC2 instances, databases, or storage buckets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, compromising additional resources and escalating their access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as exfiltrating data, deploying malicious code, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to elevate privileges within the AWS environment, potentially leading to unauthorized access to sensitive data, lateral movement to other systems, and disruption of critical services. The impact could range from data breaches and financial losses to reputational damage and regulatory fines. Identifying and responding to these events quickly is crucial to minimizing potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS EC2 Instance Profile Associated with Running Instance\u0026rdquo; to your SIEM using AWS CloudTrail logs to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM permissions related to \u003ccode\u003eec2:AssociateIamInstanceProfile\u003c/code\u003e and \u003ccode\u003eec2:ReplaceIamInstanceProfile\u003c/code\u003e to limit who can modify instance profiles.\u003c/li\u003e\n\u003cli\u003eEnable CloudTrail logging for all regions in your AWS account to ensure comprehensive audit coverage.\u003c/li\u003e\n\u003cli\u003eImplement least privilege principles for IAM roles assigned to EC2 instances to minimize the impact of potential privilege escalation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address, user identity, and the IAM role associated with the instance profile.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-ec2-instance-profile-association/","summary":"An attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.","title":"AWS EC2 Instance Profile Associated with Running Instance","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ec2-instance-profile-association/"}],"language":"en","title":"CraftedSignal Threat Feed — EC2","version":"https://jsonfeed.org/version/1.1"}