{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/accesskey/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","iam","accesskey","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis brief focuses on detecting the creation of AWS Access Keys within an AWS environment. While the source material does not specify a particular threat actor or campaign, monitoring access key creation is critical because malicious actors frequently create new keys after gaining initial access to an AWS account. This allows them to maintain persistence, even if the initial access method is revoked. The attacker might use the created access keys to perform privileged actions, such as deploying resources, accessing sensitive data, or further compromising the environment. Detection engineers should prioritize implementing rules to detect anomalous access key creation events to identify and mitigate potential security breaches early on.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains unauthorized access to an AWS account through compromised credentials, phishing, or exploiting a vulnerable service.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the AWS environment to gain the necessary permissions to create IAM users or access keys.\u003c/li\u003e\n\u003cli\u003eIAM User Creation (Optional): In some cases, the attacker may create a new IAM user with elevated privileges before creating access keys.\u003c/li\u003e\n\u003cli\u003eAccess Key Creation: The attacker creates a new AWS access key for either an existing or a newly created IAM user. This grants the attacker programmatic access to the AWS account.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker uses the newly created access key to maintain persistent access to the AWS environment, even if the initial access method is discovered and revoked.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the access key to move laterally within the AWS environment, accessing different services and resources.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malicious Activity: Using the established persistent access, the attacker exfiltrates sensitive data or performs other malicious activities, such as deploying malicious resources or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation of rogue AWS access keys can lead to long-term unauthorized access to sensitive data and resources. The impact ranges from data breaches and financial losses to service disruption and reputational damage. Organizations lacking proper monitoring may remain compromised for extended periods, amplifying the damage. While the number of victims and specific sectors targeted cannot be determined from the provided source material, AWS environments across all industries are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect AWS Access Key Creation via CloudTrail\u003c/code\u003e to identify suspicious access key creation events (see rule section).\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture API calls related to IAM and access key management, which is necessary for the provided Sigma rules to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules to reduce false positives based on known-good access key creation patterns within your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the access key creation event and take appropriate remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-access-key-creation/","summary":"This brief outlines how to detect the creation of AWS Access Keys, a common tactic used by attackers to establish persistence and escalate privileges within compromised AWS environments.","title":"Detect AWS Access Key Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-access-key-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Accesskey","version":"https://jsonfeed.org/version/1.1"}