elastic · shashank-elastic · Jul 23, 2025 · Jul 23, 2025 · Jul 23, 2025
@@ -0,0 +1,118 @@
+[[prebuilt-rule-8-18-9-aws-dynamodb-table-exported-to-s3]]
+=== AWS DynamoDB Table Exported to S3
+
+Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the "user.name" for the first time.
+
+*Rule type*: new_terms
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws.cloudtrail-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html
+
+*Tags*: 
+
+* Domain: Cloud
+* Data Source: AWS
+* Data Source: Amazon Web Services
+* Data Source: AWS DynamoDB
+* Resources: Investigation Guide
+* Use Case: Threat Detection
+* Tactic: Exfiltration
+
+*Version*: 4
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+ ## Triage and analysis
+
+
+*Investigating AWS DynamoDB Table Exported to S3*
+
+
+This rule identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs.
+
+This is a New Terms rule that only flags when this behavior is observed for the first time.
+
+
+*Possible Investigation Steps*
+
+- Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the export. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
+- Review the Source IP: Check the `source.ip` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access.
+- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key has been compromised.
+- Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the ExportTableToPointInTime request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being exported.
+
+
+*False Positive Analysis*
+
+- Historical User Actions: If the user has a history of exporting DynamoDB tables for legitimate purposes, this may be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions.
+- Automated Processes: Some automated processes or applications may perform exports on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may be a false positive.
+
+
+*Response and Remediation*
+
+- Immediate Review and Reversal: If the ExportTableToPointInTime action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's access keys or removing their permissions.
+- Investigate Compromise: If the ExportTableToPointInTime action is determined to be malicious, investigate the source and destination of the request and any potential compromise of the user's account. If the destination S3 bucket is not known, it may be a sign of data exfiltration and may require incident response.
+- Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources.
+- Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts.
+
+
+*Additional Information*
+
+
+For further guidance on managing and securing DynamoDB in AWS environments, refer to the https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html[AWS DynamoDB documentation] and AWS best practices for security.
+
+
+==== Setup
+
+
+DynamoDB data events must be enabled in CloudTrail to capture the ExportTableToPointInTime actions. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables.
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset: "aws.cloudtrail"
+    and event.provider: "dynamodb.amazonaws.com"
+    and event.action: "ExportTableToPointInTime"
+    and event.outcome: "success"
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
+* Technique:
+** Name: Exfiltration Over Web Service
+** ID: T1567
+** Reference URL: https://attack.mitre.org/techniques/T1567/
+* Sub-technique:
+** Name: Exfiltration to Cloud Storage
+** ID: T1567.002
+** Reference URL: https://attack.mitre.org/techniques/T1567/002/
@@ -0,0 +1,120 @@
+[[prebuilt-rule-8-18-9-aws-ec2-ami-shared-with-another-account]]
+=== AWS EC2 AMI Shared with Another Account
+
+Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws.cloudtrail-*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 5m
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
+* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
+* https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/
+
+*Tags*: 
+
+* Domain: Cloud
+* Data Source: AWS
+* Data Source: Amazon Web Services
+* Data Source: AWS EC2
+* Use Case: Threat Detection
+* Tactic: Exfiltration
+* Resources: Investigation Guide
+
+*Version*: 6
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+
+*Triage and analysis*
+
+
+
+*Investigating AWS EC2 AMI Shared with Another Account*
+
+
+This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
+
+
+*Possible Investigation Steps*
+
+
+- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.
+    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.
+- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.
+- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
+- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.
+- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.
+- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.
+
+
+*False Positive Analysis*
+
+
+- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
+- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
+- **AWS Services**: Some AWS services, such as WorkSpaces and Backup, automate AMI sharing when users configure cross-account sharing or disaster recovery plans. These will appear in CloudTrail with `userIdentity.invokedBy` and `source.address` fields like `workspaces.amazonaws.com` or `backup.amazonaws.com`. Confirm that such activity aligns with your organization's approved configurations.
+
+
+*Response and Remediation*
+
+
+- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.
+- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.
+- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
+- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access.
+- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.
+
+
+*Additional Information*
+
+
+For more information on managing and sharing AMIs, refer to the https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[Amazon EC2 User Guide on AMIs] and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html[Sharing AMIs]. Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/[here].
+
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
+    and event.action: ModifyImageAttribute and event.outcome: success
+    and aws.cloudtrail.request_parameters: *add=*
+    and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Exfiltration
+** ID: TA0010
+** Reference URL: https://attack.mitre.org/tactics/TA0010/
+* Technique:
+** Name: Transfer Data to Cloud Account
+** ID: T1537
+** Reference URL: https://attack.mitre.org/techniques/T1537/
@@ -0,0 +1,148 @@
+[[prebuilt-rule-8-18-9-aws-ec2-deprecated-ami-discovery]]
+=== AWS EC2 Deprecated AMI Discovery
+
+Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-aws.cloudtrail-*
+
+*Severity*: low
+
+*Risk score*: 21
+
+*Runs every*: 5m
+
+*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/
+
+*Tags*: 
+
+* Domain: Cloud
+* Data Source: AWS
+* Data Source: AWS EC2
+* Resources: Investigation Guide
+* Use Case: Threat Detection
+* Tactic: Discovery
+
+*Version*: 6
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+
+*Triage and analysis*
+
+
+
+*Investigating AWS EC2 Deprecated AMI Discovery*
+
+
+This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs). While deprecated AMIs are not inherently malicious, their use can introduce vulnerabilities or misconfigurations. Adversaries may exploit deprecated AMIs in search of outdated or unpatched systems. Investigating these queries can help identify potential risks or misconfigurations.
+
+
+*Possible Investigation Steps*
+
+
+1. **Identify the User Performing the Query**:
+   - Review the `aws.cloudtrail.user_identity.arn` field to determine the AWS user or role making the request.
+   - Check `aws.cloudtrail.user_identity.type` and `aws.cloudtrail.user_identity.access_key_id` to verify the type of access (e.g., IAM user, role, or federated identity).
+
+2. **Analyze the Source of the Request**:
+   - Review the `source.ip` field to determine the IP address of the source making the request.
+   - Check `source.geo` for the geographic location of the IP address.
+   - Analyze the `user_agent.original` field to determine the client or tool used (e.g., AWS CLI, SDK).
+
+3. **Validate the Query Context**:
+   - Inspect the `aws.cloudtrail.request_parameters` field 
+   - Determine if the request is part of legitimate activity, such as:
+     - Security assessments or vulnerability scans.
+     - Maintenance or testing of legacy systems.
+   - Check if the query aligns with recent changes in the AWS environment, such as new configurations or services.
+
+4. **Correlate with Other Events**:
+   - Investigate additional AWS API calls from the same user or IP address for signs of reconnaissance or exploitation.
+   - Review logs for related actions, such as launching instances from deprecated AMIs (`RunInstances` API call).
+
+5. **Assess Security Risks**:
+   - Evaluate the use of deprecated AMIs within your environment and their associated vulnerabilities.
+   - Ensure that deprecated AMIs are not being used in production environments or systems exposed to external threats.
+
+
+*False Positive Analysis*
+
+
+- **Legitimate Use**: Users may query for deprecated AMIs for testing or compatibility purposes.
+- **Automated Tools**: Security or compliance tools might query deprecated AMIs as part of regular assessments.
+- **Misconfigured Services**: Legacy systems may rely on deprecated AMIs for compatibility, leading to legitimate queries.
+
+
+*Response and Remediation*
+
+
+1. **Immediate Actions**:
+   - Verify the intent of the user querying for deprecated AMIs.
+   - Restrict IAM permissions to prevent unauthorized access to deprecated AMIs.
+
+2. **Mitigation Steps**:
+   - Identify and replace deprecated AMIs in use with supported and updated AMIs.
+   - Update AWS IAM policies to minimize permissions for querying or using deprecated AMIs.
+
+3. **Enhance Monitoring**:
+   - Enable alerts for future queries involving deprecated AMIs or other unusual API activity.
+   - Monitor CloudTrail logs for additional reconnaissance or suspicious behavior.
+
+4. **Security Audits**:
+   - Conduct a review of all AMIs in use across your environment to identify outdated or deprecated images.
+   - Remove any deprecated AMIs from production environments and restrict their usage to isolated testing.
+
+5. **Add Rule Exceptions**:
+   - Create exceptions for legitimate use cases or automated tools that query for deprecated AMIs.
+   - Document and communicate the exceptions to relevant teams to avoid future alerts.
+
+
+*Additional Resources*
+
+
+- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[AWS Documentation: AMI Lifecycle Management]
+- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html[AWS Documentation: Deprecated AMIs]
+
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset: "aws.cloudtrail"
+    and event.provider: "ec2.amazonaws.com"
+    and event.action: "DescribeImages"
+    and event.outcome: "success"
+    and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Discovery
+** ID: TA0007
+** Reference URL: https://attack.mitre.org/tactics/TA0007/
+* Technique:
+** Name: Cloud Infrastructure Discovery
+** ID: T1580
+** Reference URL: https://attack.mitre.org/techniques/T1580/