{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ami/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS EC2"],"_cs_severities":["medium"],"_cs_tags":["aws","ami","exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis alert detects when an Amazon Machine Image (AMI) is shared with another AWS account. While AMI sharing is a legitimate AWS feature, it can be abused by adversaries to exfiltrate sensitive data. AMIs often contain secrets, bash histories, code artifacts, and other sensitive data. An attacker with sufficient privileges can share an AMI with an external account under their control, effectively copying the data out of the targeted AWS environment. This rule helps identify potentially malicious AMI sharing activity. Note that AWS Marketplace subscriptions and other AWS services like workspaces.amazonaws.com and backup.amazonaws.com will legitimately invoke AMI sharing. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account with sufficient privileges to modify AMI attributes. This could be through compromised credentials, an insider threat, or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target AMI containing sensitive data within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyImageAttribute\u003c/code\u003e API call to add a new user ID to the AMI's launch permissions, specifically the AWS account ID of an account controlled by the attacker. The \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e field will contain the \u003ccode\u003eadd\u003c/code\u003e parameter with the target account.\u003c/li\u003e\n\u003cli\u003eThe AWS EC2 service processes the \u003ccode\u003eModifyImageAttribute\u003c/code\u003e request, granting the specified account access to the AMI.\u003c/li\u003e\n\u003cli\u003eThe attacker, logged into the external AWS account, verifies they can now access the shared AMI.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the AMI to their own AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker launches an EC2 instance from the copied AMI in their own account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and exfiltrates the sensitive data contained within the AMI, achieving their objective of data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of an AMI can lead to the compromise of sensitive data, including credentials, code, and configuration information. This could result in unauthorized access to other systems, data breaches, and reputational damage. The number of victims depends on the scope of data contained within the AMI. Targeted sectors could vary depending on the compromised account's role.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS EC2 AMI Shared with Another Account\u0026quot; Sigma rule to your SIEM and tune for your environment (rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected AMI sharing events, focusing on the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e and \u003ccode\u003eaws.response.response_elements\u003c/code\u003e fields in CloudTrail logs to identify the AMI ID and the user ID of the account with which the AMI was shared (content).\u003c/li\u003e\n\u003cli\u003eReview and, if necessary, revoke unauthorized shared permissions from the AMI immediately (content).\u003c/li\u003e\n\u003cli\u003eImplement monitoring to track changes to shared AMIs and alert on unauthorized access patterns (content).\u003c/li\u003e\n\u003cli\u003eRefer to the Amazon EC2 User Guide on AMIs and Sharing AMIs for more information on managing and sharing AMIs (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:22:00Z","date_published":"2024-05-03T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-ami-shared-account/","summary":"An AWS Amazon Machine Image (AMI) being shared with another AWS account could indicate data exfiltration, as AMIs may contain sensitive data, and unauthorized sharing can lead to exposure.","title":"AWS EC2 AMI Shared with Another Account for Potential Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-ami-shared-account/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Elastic Compute Cloud (EC2)"],"_cs_severities":["high"],"_cs_tags":["aws","ami","data-exfiltration","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAn attacker leverages compromised AWS credentials or exploits a misconfigured IAM role to modify Amazon Machine Image (AMI) attributes. This modification can involve sharing the AMI with an external AWS account or making it publicly accessible. The primary goal is to exfiltrate sensitive data stored within the AMI, such as proprietary code, customer data, or internal configurations. This activity is particularly concerning due to the potential for unauthorized access to critical resources and subsequent data breaches. The technique abuses legitimate AWS functionality, making it harder to detect without specific monitoring in place. The sharing of AMI's is a common tactic to enable data exfiltration by threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains access to an AWS account through compromised credentials, exploiting a vulnerability in a web application, or leveraging a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnumeration:\u003c/strong\u003e The attacker enumerates available AMIs within the AWS environment to identify those containing sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e If the initial access doesn't have sufficient privileges, the attacker attempts to escalate privileges to gain the ability to modify AMI attributes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAMI Attribute Modification:\u003c/strong\u003e The attacker uses the \u003ccode\u003eModifyImageAttribute\u003c/code\u003e API call to modify the AMI's launch permissions. This involves adding external AWS accounts or setting the group to \u0026quot;all\u0026quot;, making the AMI public.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker or a collaborator in the external AWS account copies the now-shared AMI to their own environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker launches an EC2 instance from the copied AMI and extracts the sensitive data stored within it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCleanup (Optional):\u003c/strong\u003e The attacker may attempt to remove CloudTrail logs or other evidence of their activity to hinder detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement or Further Attacks:\u003c/strong\u003e The attacker uses the exfiltrated data for further attacks, such as lateral movement within the organization's network or direct extortion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMI attribute modification and exfiltration can lead to significant data breaches, exposing sensitive customer data, proprietary code, or internal configurations. This can result in financial losses, reputational damage, legal liabilities, and regulatory fines. The scope of the impact depends on the sensitivity and volume of data stored within the compromised AMIs. This technique directly targets data confidentiality and integrity, potentially affecting thousands or millions of users if customer data is involved.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor AWS CloudTrail logs for \u003ccode\u003eModifyImageAttribute\u003c/code\u003e API calls (AWS CloudTrail ModifyImageAttribute Data Source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious AMI attribute modifications in your SIEM (Sigma Rule: \u0026quot;Detect Publicly Shared AWS AMI\u0026quot;).\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit the ability to modify AMI attributes to only authorized personnel (Reference: \u003ca href=\"https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)\"\u003ehttps://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review AMI launch permissions to identify any publicly shared or externally shared AMIs (Reference: \u003ca href=\"https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)\"\u003ehttps://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure AWS Config rules to automatically detect and remediate publicly shared AMIs (Reference: \u003ca href=\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)\"\u003ehttps://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAlert on users who are modifying AMI attributes and do not typically perform that action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/","summary":"An attacker modifies AWS AMI attributes, potentially sharing an AMI with another AWS account or making it publicly accessible, to exfiltrate sensitive data stored in AWS resources.","title":"AWS AMI Attribute Modification for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Ami","version":"https://jsonfeed.org/version/1.1"}