<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ami - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ami/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 May 2024 14:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ami/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 AMI Shared with Another Account for Potential Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-ami-shared-account/</link><pubDate>Fri, 03 May 2024 14:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-ami-shared-account/</guid><description>An AWS Amazon Machine Image (AMI) being shared with another AWS account could indicate data exfiltration, as AMIs may contain sensitive data, and unauthorized sharing can lead to exposure.</description><content:encoded><![CDATA[<p>This alert detects when an Amazon Machine Image (AMI) is shared with another AWS account. While AMI sharing is a legitimate AWS feature, it can be abused by adversaries to exfiltrate sensitive data. AMIs often contain secrets, bash histories, code artifacts, and other sensitive data. An attacker with sufficient privileges can share an AMI with an external account under their control, effectively copying the data out of the targeted AWS environment. This rule helps identify potentially malicious AMI sharing activity. Note that AWS Marketplace subscriptions and other AWS services like workspaces.amazonaws.com and backup.amazonaws.com will legitimately invoke AMI sharing. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account with sufficient privileges to modify AMI attributes. This could be through compromised credentials, an insider threat, or exploiting a misconfigured IAM role.</li>
<li>The attacker identifies a target AMI containing sensitive data within the AWS environment.</li>
<li>The attacker uses the <code>ModifyImageAttribute</code> API call to add a new user ID to the AMI's launch permissions, specifically the AWS account ID of an account controlled by the attacker. The <code>aws.cloudtrail.request_parameters</code> field will contain the <code>add</code> parameter with the target account.</li>
<li>The AWS EC2 service processes the <code>ModifyImageAttribute</code> request, granting the specified account access to the AMI.</li>
<li>The attacker, logged into the external AWS account, verifies they can now access the shared AMI.</li>
<li>The attacker copies the AMI to their own AWS account.</li>
<li>The attacker launches an EC2 instance from the copied AMI in their own account.</li>
<li>The attacker accesses and exfiltrates the sensitive data contained within the AMI, achieving their objective of data theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exfiltration of an AMI can lead to the compromise of sensitive data, including credentials, code, and configuration information. This could result in unauthorized access to other systems, data breaches, and reputational damage. The number of victims depends on the scope of data contained within the AMI. Targeted sectors could vary depending on the compromised account's role.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;AWS EC2 AMI Shared with Another Account&quot; Sigma rule to your SIEM and tune for your environment (rule).</li>
<li>Investigate any detected AMI sharing events, focusing on the <code>aws.cloudtrail.request_parameters</code> and <code>aws.response.response_elements</code> fields in CloudTrail logs to identify the AMI ID and the user ID of the account with which the AMI was shared (content).</li>
<li>Review and, if necessary, revoke unauthorized shared permissions from the AMI immediately (content).</li>
<li>Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns (content).</li>
<li>Refer to the Amazon EC2 User Guide on AMIs and Sharing AMIs for more information on managing and sharing AMIs (references).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ami</category><category>exfiltration</category></item><item><title>AWS AMI Attribute Modification for Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/</guid><description>An attacker modifies AWS AMI attributes, potentially sharing an AMI with another AWS account or making it publicly accessible, to exfiltrate sensitive data stored in AWS resources.</description><content:encoded><![CDATA[<p>An attacker leverages compromised AWS credentials or exploits a misconfigured IAM role to modify Amazon Machine Image (AMI) attributes. This modification can involve sharing the AMI with an external AWS account or making it publicly accessible. The primary goal is to exfiltrate sensitive data stored within the AMI, such as proprietary code, customer data, or internal configurations. This activity is particularly concerning due to the potential for unauthorized access to critical resources and subsequent data breaches. The technique abuses legitimate AWS functionality, making it harder to detect without specific monitoring in place. The sharing of AMI's is a common tactic to enable data exfiltration by threat actors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker gains access to an AWS account through compromised credentials, exploiting a vulnerability in a web application, or leveraging a misconfigured IAM role.</li>
<li><strong>Enumeration:</strong> The attacker enumerates available AMIs within the AWS environment to identify those containing sensitive data.</li>
<li><strong>Privilege Escalation (If Needed):</strong> If the initial access doesn't have sufficient privileges, the attacker attempts to escalate privileges to gain the ability to modify AMI attributes.</li>
<li><strong>AMI Attribute Modification:</strong> The attacker uses the <code>ModifyImageAttribute</code> API call to modify the AMI's launch permissions. This involves adding external AWS accounts or setting the group to &quot;all&quot;, making the AMI public.</li>
<li><strong>Data Exfiltration:</strong> The attacker or a collaborator in the external AWS account copies the now-shared AMI to their own environment.</li>
<li><strong>Data Extraction:</strong> The attacker launches an EC2 instance from the copied AMI and extracts the sensitive data stored within it.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to remove CloudTrail logs or other evidence of their activity to hinder detection.</li>
<li><strong>Lateral Movement or Further Attacks:</strong> The attacker uses the exfiltrated data for further attacks, such as lateral movement within the organization's network or direct extortion.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful AMI attribute modification and exfiltration can lead to significant data breaches, exposing sensitive customer data, proprietary code, or internal configurations. This can result in financial losses, reputational damage, legal liabilities, and regulatory fines. The scope of the impact depends on the sensitivity and volume of data stored within the compromised AMIs. This technique directly targets data confidentiality and integrity, potentially affecting thousands or millions of users if customer data is involved.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor AWS CloudTrail logs for <code>ModifyImageAttribute</code> API calls (AWS CloudTrail ModifyImageAttribute Data Source).</li>
<li>Deploy the provided Sigma rule to detect suspicious AMI attribute modifications in your SIEM (Sigma Rule: &quot;Detect Publicly Shared AWS AMI&quot;).</li>
<li>Implement strict IAM policies to limit the ability to modify AMI attributes to only authorized personnel (Reference: <a href="https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)">https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)</a>.</li>
<li>Regularly review AMI launch permissions to identify any publicly shared or externally shared AMIs (Reference: <a href="https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)">https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)</a>.</li>
<li>Configure AWS Config rules to automatically detect and remediate publicly shared AMIs (Reference: <a href="https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)">https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)</a>.</li>
<li>Alert on users who are modifying AMI attributes and do not typically perform that action.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>ami</category><category>data-exfiltration</category><category>cloudtrail</category></item></channel></rss>