Exfiltrate an AMI by Sharing It
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates an AMI by sharing it with an external AWS account.
Warm-up:
- Create an AMI.
Detonation:
- Share the AMI with an external, fictitious AWS account.
Instructions
Detection
Through CloudTrail's ModifyImageAttribute event, when requestParameters.launchPermission shows
that the AMI was shared with a new or unknown AWS account, such as:
"requestParameters": {
"launchPermission": {
"add": {
"items": [{ "userId": "012345678901" }]
}
},
"attributeType": "launchPermission",
"imageId": "ami-0b87ea1d007078d18"
}An attacker can also make an AMI completely public. In this case, the item entry
will look like {"groups":"all"}.
Detonation logs new!
The following CloudTrail events are generated when this technique is detonated1:
ec2:ModifyImageAttribute
View raw detonation logs
[
{
"awsRegion": "me-south-1r",
"eventCategory": "Management",
"eventID": "1f00bcfa-e050-4c2e-b99b-768ebe3a3dd3",
"eventName": "ModifyImageAttribute",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2024-08-01T12:25:57Z",
"eventType": "AwsApiCall",
"eventVersion": "1.09",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "118238665043",
"requestID": "dd81ae39-a261-4e85-87a4-01fe22abc602",
"requestParameters": {
"attributeType": "launchPermission",
"imageId": "ami-de1fbCab6ccB03e6D",
"launchPermission": {
"add": {
"items": [
{
"userId": "846424999548"
}
]
}
}
},
"responseElements": {
"_return": true,
"requestId": "dd81ae39-a261-4e85-87a4-01fe22abc602"
},
"sourceIPAddress": "253.19.58.252",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.me-south-1r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_a532baf6-7731-4c0f-b089-48508276f787",
"userIdentity": {
"accessKeyId": "AKIA40XZ2OQU8R4QKTAC",
"accountId": "118238665043",
"arn": "arn:aws:iam::118238665043:user/christophe",
"principalId": "AIDAYO61EC4B4W5G6BXN",
"type": "IAMUser",
"userName": "christophe"
}
}
]