/
aws_ami_attribute_modification_for_exfiltration.yml
70 lines (70 loc) · 2.92 KB
/
aws_ami_attribute_modification_for_exfiltration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: AWS AMI Attribute Modification for Exfiltration
id: f2132d74-cf81-4c5e-8799-ab069e67dc9f
version: 2
date: '2023-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
data_source:
- AWS CloudTrail ModifyImageAttribute
description: This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.
search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all)
| rename requestParameters.launchPermission.add.items{}.group as group_added
| rename requestParameters.launchPermission.add.items{}.userId as accounts_added
| eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") | stats
count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: It is possible that an AWS admin has legitimately shared a
snapshot with others for a specific purpose.
references:
- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/
- https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/
tags:
analytic_story:
- Suspicious Cloud Instance Activities
- Data Exfiltration
asset_type: EC2 Snapshot
confidence: 80
impact: 100
message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.
mitre_attack_id:
- T1537
observable:
- name: user_arn
type: User
role:
- Attacker
- name: src_ip
type: IP Address
role:
- Attacker
- name: aws_account_id
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- user_arn
- src_ip
- requestParameters.attributeType
- aws_account_id
- vendor_region
- user_agent
- userIdentity.principalId
risk_score: 80
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true