<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Compute_instance - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/compute_instance/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/compute_instance/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cloud Compute Instance Created With Previously Unseen Image</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cloud-compute-instance-unseen-image/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cloud-compute-instance-unseen-image/</guid><description>This analytic detects the creation of cloud compute instances using previously unseen image IDs, potentially indicating unauthorized or suspicious activity like malicious payload deployment or unauthorized access, leading to data breaches or further cloud environment compromise.</description><content:encoded><![CDATA[<p>This detection identifies the creation of cloud compute instances using previously unseen image IDs within a cloud environment. The detection leverages cloud infrastructure logs, specifically AWS CloudTrail, to identify the creation of new compute instances using image IDs that have not been previously observed in the environment. This activity is considered significant as it can indicate unauthorized or suspicious activities such as deployment of malicious payloads, lateral movement, or unauthorized access to sensitive resources within the cloud infrastructure. The detection logic relies on maintaining a baseline of previously seen images and alerting on deviations from this baseline. The focus is on AWS CloudTrail logs, using image IDs as a key indicator of potentially malicious compute instance deployment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the cloud environment, possibly through compromised credentials or exploiting a misconfiguration.</li>
<li>The attacker attempts to create a new cloud compute instance.</li>
<li>The attacker selects or uploads a custom image to be used for the new compute instance. This image may contain malicious software or configurations.</li>
<li>The cloud compute instance creation event is logged in AWS CloudTrail, including the image ID used for the instance.</li>
<li>The detection mechanism identifies the image ID as one not previously seen in the environment.</li>
<li>The detection triggers an alert due to the use of an unseen image ID, highlighting a potentially anomalous or malicious event.</li>
<li>Security analysts investigate the newly created instance and the associated image to determine its legitimacy.</li>
<li>If the instance or image is deemed malicious, remediation actions such as instance termination, image removal, and account lockdown are taken to prevent further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful execution of this type of attack can lead to various detrimental impacts, including the deployment of malicious software within the cloud environment, unauthorized access to sensitive data and resources, lateral movement to other parts of the infrastructure, and potential data breaches. The number of affected instances or the scope of the impact is dependent on the attacker's objectives and the extent of their access. Affected sectors include any organization leveraging cloud compute resources, such as e-commerce, finance, healthcare, and government. A successful attack may result in significant financial losses, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement and regularly update the baseline search <code>Previously Seen Cloud Compute Images - Initial</code> and <code>Previously Seen Cloud Compute Images - Update</code> to maintain an accurate record of known image IDs.</li>
<li>Deploy the Sigma rule provided below to your SIEM and tune the thresholds based on your environment's specific needs to minimize false positives.</li>
<li>Enable AWS CloudTrail logging in all regions to ensure complete visibility of cloud resource creation events, which is critical for the Sigma rule to function.</li>
<li>Customize the <code>cloud_compute_instance_created_with_previously_unseen_image_filter</code> macro to exclude known-good images or users to reduce noise.</li>
<li>Review the risk objects identified in the RBA section to correlate the newly created instance with user activity for improved incident prioritization.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>cloudtrail</category><category>compute_instance</category><category>anomaly</category></item></channel></rss>