forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexfiltration_ec2_ami_shared_with_separate_account.toml
99 lines (81 loc) · 5.44 KB
/
exfiltration_ec2_ami_shared_with_separate_account.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
[metadata]
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
publicly available accidentally as well.
"""
false_positives = [
"""
AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "EC2 AMI Shared with Another Account"
note = """
## Triage and Analysis
### Investigating EC2 AMI Shared with Another Account
This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
#### Possible Investigation Steps
- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.
- **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.
- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.
- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.
- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.
- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.
### False Positive Analysis
- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
### Response and Remediation
- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.
- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.
- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access.
- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.
### Additional Information
For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).
"""
references = [
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html",
"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/",
]
risk_score = 47
rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Threat Detection",
"Tactic: Exfiltration",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
and event.action: ModifyImageAttribute and event.outcome: success
and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"