<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Provisioning - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/provisioning/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/provisioning/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cloud Provisioning Activity From Previously Unseen Region</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cloud-provisioning-anomaly/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cloud-provisioning-anomaly/</guid><description>This analytic detects cloud provisioning activities originating from previously unseen regions by identifying resource creation events and cross-referencing them with a baseline of known regions, potentially indicating unauthorized access or misuse of cloud resources.</description><content:encoded><![CDATA[<p>This detection identifies cloud provisioning activities originating from previously unseen regions within an AWS environment. It leverages AWS CloudTrail logs to pinpoint events where resources are started or created and compares these events against a baseline of known, trusted regions. The analytic focuses on successful resource provisioning actions. This activity is flagged as anomalous because it can signal unauthorized access, compromised credentials, or internal misuse of cloud resources from unfamiliar locations. Successfully exploiting this activity could lead to unauthorized resource creation, data exfiltration, or further compromise of the cloud infrastructure. The original Splunk detection was published in April 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a user account via compromised credentials or other means.</li>
<li>The attacker logs into the AWS Management Console or utilizes AWS CLI with the compromised credentials.</li>
<li>The attacker initiates a cloud provisioning action, such as creating a new EC2 instance or launching a new service, from a region not previously associated with the account.</li>
<li>AWS CloudTrail logs the &quot;started&quot; or &quot;created&quot; event for the provisioned resource, including the source IP address, user, object, and command used.</li>
<li>The detection logic identifies the previously unseen region based on the source IP address using GeoIP enrichment.</li>
<li>An alert is triggered, indicating anomalous provisioning activity from an unfamiliar region.</li>
<li>The attacker continues to deploy resources in the new region, potentially for malicious purposes such as cryptocurrency mining or hosting command and control infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to unauthorized resource deployment, potentially resulting in significant financial costs. Data exfiltration from newly provisioned resources could expose sensitive data leading to compliance violations, legal ramifications, and reputational damage. Further, unauthorized access could allow the attacker to establish a foothold within the cloud environment, enabling lateral movement and further compromise of other resources. The impact will vary based on the compromised user's permissions and the scope of resources the attacker can provision.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging in all regions to capture cloud provisioning events.</li>
<li>Run the baseline search to build the <code>previously_seen_cloud_provisioning_activity_sources</code> lookup table as described in the &quot;How to Implement&quot; section.</li>
<li>Deploy the Sigma rule <code>Cloud Provisioning Activity From Previously Unseen Region</code> to your SIEM and tune it based on your organization's baseline activity.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the <code>src</code>, <code>Region</code>, <code>user</code>, <code>object</code>, and <code>command</code> fields to understand the context of the provisioning activity.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise.</li>
<li>Review and restrict IAM permissions to follow the principle of least privilege, limiting the resources that a compromised user can access or provision.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>provisioning</category><category>anomaly</category></item></channel></rss>