{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/inventory/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Scattered Spider (LUCR-3)"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Systems Manager","AWS EC2"],"_cs_severities":["medium"],"_cs_tags":["aws","ssm","inventory","reconnaissance","cloudtrail"],"_cs_type":"threat","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the initial use of AWS Systems Manager (SSM) inventory APIs by a specific user or role, which is uncommon behavior and may indicate reconnaissance. The AWS SSM Inventory service provides detailed information about managed EC2 instances, including installed software, patch compliance status, and command execution history. Threat actors, such as Scattered Spider (LUCR-3), may abuse these APIs to gather information about target systems within an AWS environment for lateral movement or other malicious purposes. The rule focuses on detecting the first-time use of specific SSM inventory APIs (GetInventory, GetInventorySchema, ListInventoryEntries, DescribeInstancePatches, ListCommands) or the execution of the AWS-GatherSoftwareInventory job by a user, as such actions are more typical of automation systems rather than interactive human users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to an AWS account through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: The attacker enumerates existing IAM roles and policies to identify those with permissions to interact with SSM.\u003c/li\u003e\n\u003cli\u003eSSM Enumeration: The attacker uses the \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e API call to validate permissions and identify the current AWS account.\u003c/li\u003e\n\u003cli\u003eInventory Discovery: The attacker leverages SSM inventory APIs, such as \u003ccode\u003essm:GetInventory\u003c/code\u003e, \u003ccode\u003essm:GetInventorySchema\u003c/code\u003e, and \u003ccode\u003essm:ListInventoryEntries\u003c/code\u003e, to gather information about EC2 instances, including installed software and patch levels.\u003c/li\u003e\n\u003cli\u003ePatch Status Check: The attacker uses \u003ccode\u003essm:DescribeInstancePatches\u003c/code\u003e to identify vulnerable or unpatched systems.\u003c/li\u003e\n\u003cli\u003eCommand History Check: The attacker uses \u003ccode\u003essm:ListCommands\u003c/code\u003e to gather information about past commands executed on the instances.\u003c/li\u003e\n\u003cli\u003eSoftware Inventory Job Execution: Alternatively, the attacker triggers the \u003ccode\u003eAWS-GatherSoftwareInventory\u003c/code\u003e job using \u003ccode\u003essm:CreateAssociation\u003c/code\u003e to collect a comprehensive software inventory.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Based on the gathered inventory, the attacker identifies vulnerable systems or misconfigurations and attempts lateral movement within the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance using AWS SSM Inventory APIs allows attackers to map out the target environment, identify vulnerable systems, and plan further attacks, such as lateral movement or data exfiltration. This reconnaissance can lead to full compromise of EC2 instances and sensitive data within the AWS environment. Scattered Spider and similar groups often use this information to identify high-value targets and vulnerabilities for exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS SSM Inventory Reconnaissance by Rare User\u0026quot; to your SIEM to detect anomalous SSM inventory API usage (rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the source IP address, user agent, and the specific API calls made (rule).\u003c/li\u003e\n\u003cli\u003eReview IAM permissions to ensure that users and roles only have the necessary permissions to access SSM inventory data (IAM).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for users or roles identified as performing suspicious SSM activity (monitoring).\u003c/li\u003e\n\u003cli\u003eCorrelate SSM API activity with other AWS CloudTrail events, such as \u003ccode\u003eStartSession\u003c/code\u003e or \u003ccode\u003eSendCommand\u003c/code\u003e, to identify broader attack patterns (CloudTrail).\u003c/li\u003e\n\u003cli\u003eUse the provided references to understand Scattered Spider's TTPs and AWS security best practices (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-ssm-inventory-recon/","summary":"Detection of a rare user or role accessing AWS Systems Manager (SSM) inventory APIs or running the AWS-GatherSoftwareInventory job, potentially indicating reconnaissance activity by threat actors seeking information about managed EC2 instances.","title":"AWS SSM Inventory Reconnaissance by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-ssm-inventory-recon/"}],"language":"en","title":"CraftedSignal Threat Feed - Inventory","version":"https://jsonfeed.org/version/1.1"}