<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Accesskey - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/accesskey/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/accesskey/feed.xml" rel="self" type="application/rss+xml"/><item><title>Detect AWS Access Key Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-access-key-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-access-key-creation/</guid><description>This brief outlines how to detect the creation of AWS Access Keys, a common tactic used by attackers to establish persistence and escalate privileges within compromised AWS environments.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the creation of AWS Access Keys within an AWS environment. While the source material does not specify a particular threat actor or campaign, monitoring access key creation is critical because malicious actors frequently create new keys after gaining initial access to an AWS account. This allows them to maintain persistence, even if the initial access method is revoked. The attacker might use the created access keys to perform privileged actions, such as deploying resources, accessing sensitive data, or further compromising the environment. Detection engineers should prioritize implementing rules to detect anomalous access key creation events to identify and mitigate potential security breaches early on.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains unauthorized access to an AWS account through compromised credentials, phishing, or exploiting a vulnerable service.</li>
<li>Privilege Escalation: The attacker attempts to escalate privileges within the AWS environment to gain the necessary permissions to create IAM users or access keys.</li>
<li>IAM User Creation (Optional): In some cases, the attacker may create a new IAM user with elevated privileges before creating access keys.</li>
<li>Access Key Creation: The attacker creates a new AWS access key for either an existing or a newly created IAM user. This grants the attacker programmatic access to the AWS account.</li>
<li>Persistence: The attacker uses the newly created access key to maintain persistent access to the AWS environment, even if the initial access method is discovered and revoked.</li>
<li>Lateral Movement: The attacker uses the access key to move laterally within the AWS environment, accessing different services and resources.</li>
<li>Data Exfiltration/Malicious Activity: Using the established persistent access, the attacker exfiltrates sensitive data or performs other malicious activities, such as deploying malicious resources or disrupting services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful creation of rogue AWS access keys can lead to long-term unauthorized access to sensitive data and resources. The impact ranges from data breaches and financial losses to service disruption and reputational damage. Organizations lacking proper monitoring may remain compromised for extended periods, amplifying the damage. While the number of victims and specific sectors targeted cannot be determined from the provided source material, AWS environments across all industries are potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the provided Sigma rule <code>Detect AWS Access Key Creation via CloudTrail</code> to identify suspicious access key creation events (see rule section).</li>
<li>Enable AWS CloudTrail logging to capture API calls related to IAM and access key management, which is necessary for the provided Sigma rules to function correctly.</li>
<li>Review and tune the Sigma rules to reduce false positives based on known-good access key creation patterns within your environment.</li>
<li>Investigate any alerts generated by the Sigma rules to determine the legitimacy of the access key creation event and take appropriate remediation steps.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>iam</category><category>accesskey</category><category>persistence</category></item></channel></rss>