Exfiltrate an AMI by Sharing It
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Exfiltrates an AMI by sharing it with an external AWS account.
Warm-up:
- Create an AMI.
Detonation:
- Share the AMI with an external, fictitious AWS account.
Instructions
Detection
Through CloudTrail's ModifyImageAttribute
event, when requestParameters.launchPermission
shows
that the AMI was shared with a new or unknown AWS account, such as:
"requestParameters": {
"launchPermission": {
"add": {
"items": [{ "userId": "012345678901" }]
}
},
"attributeType": "launchPermission",
"imageId": "ami-0b87ea1d007078d18"
}
An attacker can also make an AMI completely public. In this case, the item
entry
will look like {"groups":"all"}
.