{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloudformation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudFormation"],"_cs_severities":["medium"],"_cs_tags":["cloudformation","aws","execution"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the initial use of AWS CloudFormation stack creation APIs within an AWS account. AWS CloudFormation allows users to define and provision infrastructure as code through template files. A compromised or malicious actor with sufficient permissions can leverage CloudFormation to deploy infrastructure resources, potentially for malicious purposes like establishing persistence, deploying crypto miners, or creating backdoors. This rule is designed to detect the first instance of CloudFormation stack creation by a specific user or role within an account, highlighting potentially anomalous behavior that warrants further investigation. This rule focuses on \u003ccode\u003eCreateStack\u003c/code\u003e and \u003ccode\u003eCreateStackInstances\u003c/code\u003e API calls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account through compromised credentials or by exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing AWS resources and identifies potential targets for lateral movement or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials or IAM role to call the \u003ccode\u003eCreateStack\u003c/code\u003e or \u003ccode\u003eCreateStackInstances\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eThe API call uses a CloudFormation template to define the resources to be created within the stack.\u003c/li\u003e\n\u003cli\u003eThe CloudFormation service provisions the resources defined in the template. These resources may include EC2 instances, Lambda functions, IAM roles, or other AWS services.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the deployed resources to establish persistence within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance and identifies sensitive data stored within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive data from the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized deployment of resources, privilege escalation, persistence within the AWS environment, and potential data exfiltration. This can result in financial loss, reputational damage, and legal ramifications. The number of victims depends on the scope of the compromised account and the resources deployed by the attacker. Targeted sectors could include any organization utilizing AWS CloudFormation for infrastructure management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS CloudFormation Stack Creation by New Principal\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the identity (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e) and the CloudFormation template used (\u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and tighten IAM policies and permissions to adhere to the principle of least privilege, reducing the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs (\u003ccode\u003elogs-aws.cloudtrail-*\u003c/code\u003e) for unusual API calls and resource creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T14:22:00Z","date_published":"2024-11-02T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-cloudformation-stack-creation/","summary":"This rule detects the first time a principal calls AWS CloudFormation CreateStack or CreateStackInstances API, potentially indicating malicious resource deployment by an attacker with elevated privileges.","title":"First Time AWS CloudFormation Stack Creation","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-cloudformation-stack-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Cloudformation","version":"https://jsonfeed.org/version/1.1"}