{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/compute_instance/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","cloudtrail","compute_instance","anomaly"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the creation of cloud compute instances using previously unseen image IDs within a cloud environment. The detection leverages cloud infrastructure logs, specifically AWS CloudTrail, to identify the creation of new compute instances using image IDs that have not been previously observed in the environment. This activity is considered significant as it can indicate unauthorized or suspicious activities such as deployment of malicious payloads, lateral movement, or unauthorized access to sensitive resources within the cloud infrastructure. The detection logic relies on maintaining a baseline of previously seen images and alerting on deviations from this baseline. The focus is on AWS CloudTrail logs, using image IDs as a key indicator of potentially malicious compute instance deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the cloud environment, possibly through compromised credentials or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new cloud compute instance.\u003c/li\u003e\n\u003cli\u003eThe attacker selects or uploads a custom image to be used for the new compute instance. This image may contain malicious software or configurations.\u003c/li\u003e\n\u003cli\u003eThe cloud compute instance creation event is logged in AWS CloudTrail, including the image ID used for the instance.\u003c/li\u003e\n\u003cli\u003eThe detection mechanism identifies the image ID as one not previously seen in the environment.\u003c/li\u003e\n\u003cli\u003eThe detection triggers an alert due to the use of an unseen image ID, highlighting a potentially anomalous or malicious event.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the newly created instance and the associated image to determine its legitimacy.\u003c/li\u003e\n\u003cli\u003eIf the instance or image is deemed malicious, remediation actions such as instance termination, image removal, and account lockdown are taken to prevent further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful execution of this type of attack can lead to various detrimental impacts, including the deployment of malicious software within the cloud environment, unauthorized access to sensitive data and resources, lateral movement to other parts of the infrastructure, and potential data breaches. The number of affected instances or the scope of the impact is dependent on the attacker's objectives and the extent of their access. Affected sectors include any organization leveraging cloud compute resources, such as e-commerce, finance, healthcare, and government. A successful attack may result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and regularly update the baseline search \u003ccode\u003ePreviously Seen Cloud Compute Images - Initial\u003c/code\u003e and \u003ccode\u003ePreviously Seen Cloud Compute Images - Update\u003c/code\u003e to maintain an accurate record of known image IDs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM and tune the thresholds based on your environment's specific needs to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging in all regions to ensure complete visibility of cloud resource creation events, which is critical for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eCustomize the \u003ccode\u003ecloud_compute_instance_created_with_previously_unseen_image_filter\u003c/code\u003e macro to exclude known-good images or users to reduce noise.\u003c/li\u003e\n\u003cli\u003eReview the risk objects identified in the RBA section to correlate the newly created instance with user activity for improved incident prioritization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-compute-instance-unseen-image/","summary":"This analytic detects the creation of cloud compute instances using previously unseen image IDs, potentially indicating unauthorized or suspicious activity like malicious payload deployment or unauthorized access, leading to data breaches or further cloud environment compromise.","title":"Cloud Compute Instance Created With Previously Unseen Image","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cloud-compute-instance-unseen-image/"}],"language":"en","title":"CraftedSignal Threat Feed - Compute_instance","version":"https://jsonfeed.org/version/1.1"}