https://feed.craftedsignal.io/products/ec2/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 11 Jul 2024 00:00:00 +0000https://feed.craftedsignal.io/briefs/2024-07-aws-imds-abuse/Thu, 11 Jul 2024 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-aws-imds-abuse/Compromised EC2 instances may be leveraged to exfiltrate and misuse AWS Instance Metadata Service (IMDS) credentials to perform actions outside of the expected AWS Simple Systems Manager (SSM) service, indicating potential lateral movement or data exfiltration.This activity focuses on the potential misuse of AWS Instance Metadata Service (IMDS) credentials. When an EC2 instance is compromised, an attacker can extract the temporary credentials stored within the IMDS. These credentials, associated with an assumed role, grant the attacker the ability to interact with other AWS services. The abnormal use of these credentials outside of the expected AWS Simple Systems Manager (SSM) service may indicate malicious activity such as lateral movement, data exfiltration, or resource compromise. This is particularly concerning when the compromised instance is being used as a pivot point to access other AWS resources.

Attack Chain

1. An EC2 instance is compromised through an initial access vector (e.g., software vulnerability, misconfiguration, or credential compromise).
2. The attacker gains access to the compromised EC2 instance’s operating system.
3. The attacker queries the IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) to obtain temporary AWS credentials associated with the instance’s IAM role.
4. The attacker configures their local AWS CLI or SDK with the exfiltrated credentials.
5. The attacker attempts to perform actions against other AWS services using the exfiltrated credentials.
6. The attacker attempts to escalate privileges or move laterally within the AWS environment.
7. The attacker attempts to access, modify, or exfiltrate sensitive data from other AWS services.
8. The attacker maintains persistence by creating new IAM users or roles with excessive permissions.

Impact

Successful exploitation can lead to unauthorized access to sensitive data stored in AWS services such as S3, DynamoDB, and RDS. This could result in data breaches, financial loss, and reputational damage. Attackers can also leverage the compromised credentials to pivot to other AWS resources, potentially impacting critical infrastructure and services. Organizations with lax security configurations and overly permissive IAM roles are at higher risk.

Recommendation

• Deploy the Sigma rule “Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure” to your SIEM and tune for your environment to detect anomalous use of IMDS credentials.
• Review and restrict IAM roles assigned to EC2 instances to follow the principle of least privilege, limiting the scope of potential damage from credential exfiltration.
• Monitor CloudTrail logs for unusual API calls originating from EC2 instances with assumed roles, specifically those not related to SSM.
• Harden EC2 instances to prevent initial compromise by applying security patches, configuring strong authentication, and regularly scanning for vulnerabilities.

]]>highadvisoryattack.privilege-escalationattack.initial-accessattack.persistenceattack.stealthattack.t1078attack.t1078.002https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-user-data-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-user-data-modification/Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.This detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the userData attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.

Attack Chain

1. An attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).
2. The attacker identifies a target EC2 instance.
3. The attacker uses the ModifyInstanceAttribute API call to update the userData attribute of the target instance, injecting malicious code or scripts.
4. The attacker uses the StopInstances API call to stop the target EC2 instance.
5. The attacker uses the StartInstances API call to start the target EC2 instance.
6. Upon instance start, the modified userData script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.
7. The attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.

Impact

Successful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.

Recommendation

• Deploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.
• Review CloudTrail logs for ModifyInstanceAttribute events with userData to identify potentially malicious modifications.
• Monitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.
• Implement least privilege IAM policies to restrict access to EC2 management APIs.
• Use AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in userData.
• Investigate any alerts generated by the Sigma rules and correlate them with other security events.

]]>highadvisoryawsec2user-dataprivilege-escalationpersistenceexecutionhttps://feed.craftedsignal.io/briefs/2024-01-aws-ec2-instance-profile-association/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-aws-ec2-instance-profile-association/An attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.This threat brief focuses on the potential for privilege escalation and lateral movement within Amazon Web Services (AWS) environments by abusing the ability to associate or replace IAM instance profiles on running EC2 instances. An attacker with the necessary permissions (ec2:AssociateIamInstanceProfile or ec2:ReplaceIamInstanceProfile and typically iam:PassRole) can elevate the privileges of a compromised EC2 instance. This is achieved by attaching a more privileged IAM role to the instance, granting the attacker access to resources and permissions beyond their initial scope. The event is logged in AWS CloudTrail, providing a critical detection opportunity for security teams.

Attack Chain

1. An attacker gains initial access to an AWS account, potentially through compromised credentials or a vulnerable application.
2. The attacker identifies a running EC2 instance with limited privileges.
3. The attacker identifies or creates a more privileged IAM role that grants broader access to AWS resources.
4. The attacker uses the AssociateIamInstanceProfile or ReplaceIamInstanceProfile API calls to associate the privileged IAM role with the target EC2 instance. This requires appropriate IAM permissions.
5. The EC2 instance’s metadata service now provides credentials for the newly associated IAM role.
6. The attacker leverages the elevated privileges to access sensitive data or resources, potentially including other EC2 instances, databases, or storage buckets.
7. The attacker moves laterally within the AWS environment, compromising additional resources and escalating their access.
8. The attacker achieves their objective, such as exfiltrating data, deploying malicious code, or disrupting services.

Impact

Successful exploitation allows attackers to elevate privileges within the AWS environment, potentially leading to unauthorized access to sensitive data, lateral movement to other systems, and disruption of critical services. The impact could range from data breaches and financial losses to reputational damage and regulatory fines. Identifying and responding to these events quickly is crucial to minimizing potential damage.

Recommendation

• Deploy the Sigma rule “AWS EC2 Instance Profile Associated with Running Instance” to your SIEM using AWS CloudTrail logs to detect suspicious activity.
• Review and harden IAM permissions related to ec2:AssociateIamInstanceProfile and ec2:ReplaceIamInstanceProfile to limit who can modify instance profiles.
• Enable CloudTrail logging for all regions in your AWS account to ensure comprehensive audit coverage.
• Implement least privilege principles for IAM roles assigned to EC2 instances to minimize the impact of potential privilege escalation.
• Investigate any alerts generated by the Sigma rule, focusing on the source IP address, user identity, and the IAM role associated with the instance profile.

]]>highadvisoryawsprivilege-escalationlateral-movement