Skip to content

Exfiltrate an AMI by Sharing It

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Exfiltrates an AMI by sharing it with an external AWS account.

Warm-up:

  • Create an AMI.

Detonation:

  • Share the AMI with an external, fictitious AWS account.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.ec2-share-ami

Detection

Through CloudTrail's ModifyImageAttribute event, when requestParameters.launchPermission shows that the AMI was shared with a new or unknown AWS account, such as:

"requestParameters": {
  "launchPermission": {
    "add": {
      "items": [{ "userId": "012345678901" }]
    }
  },
  "attributeType": "launchPermission",
  "imageId": "ami-0b87ea1d007078d18"
}

An attacker can also make an AMI completely public. In this case, the item entry will look like {"groups":"all"}.