Scribd
Upload
1K views12 pages

MITRE ATT&CK in Amazon Web Services (AWS) :: A Defender's Cheat Sheet

Uploaded by

Karan Ojha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views12 pages

MITRE ATT&CK in Amazon Web Services (AWS) :: A Defender's Cheat Sheet

Uploaded by

Karan Ojha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

MITRE ATT&CK in Amazon Web Services (AWS):

A defender’s cheat sheet


A helpful way to map MITRE ATT&CK tactics
to AWS API calls
Bottom line: This guide contains a breakdown of the tactics we see attackers use most often
Chasing down AWS during attacks in AWS.
GuardDuty alerts and In order to give you a jump start on investigations in your own AWS environment,
combing through CloudTrail we’ve mapped the AWS services in which these tactics often originate (thanks, crafty
logs can be tough if you attackers) along with the API calls the attackers make to execute on said techniques.
don’t know what to look for
(or even if you do). As a bonus, we’re throwing in some of our own tips and tricks that you can use when
you’re investigating an incident in AWS that’s related to any of these attack tactics.
Knowing which API calls
are associated with How to use this cheat sheet
different attack tactics
isn’t intuitive – which is This cheat sheet is intended to be a resource to help answer investigative questions
why we created this handy during AWS alert triage, investigations and incident response. You can use it to quickly
cheat sheet to help you identify potential attacks in AWS and map them to MITRE ATT&CK tactics.
while you’re investigating Depending on which phase of an attack you’re investigating, you can also use it to
incidents in AWS. identify other potential attack paths and MITRE ATT&CK tactics the attacker might have
used. This’ll help you see the bigger picture and identify risky activity and behaviors
that could indicate you’re compromised and require remediation.

For example, if you see suspected credential access, you can investigate to check how
that principal authenticated to AWS, if they’ve assumed any other roles and if there are
any other suspicious API calls that could represent if this were an attacker. Some other
tactics that an attacker could have executed prior to credential access are discovery,
persistence and privilege escalation.

2 MITRE ATT&CK in Amazon Web Services (AWS): A defender’s cheat sheet


AWS mind map for investigations and incidents
MITRE ATT&CK tactics
CreateUser
CIRCLE MITRE ATT&CK tactics CreateLoginProfile
RECTANGLE AWS services UpdateProfile
CreateFunction User CreateLoginProfile
OVAL IAM resources PutUserPolicy
UpdateFunctionConfiguration
OUTLINED RECTANGLE API calls UpdateFunctionCode AttachUserPolicy
AddUserToGroup

ModifySnapshotAttribute
AWS AMI PutGroupPolicy
ModifyImageAttribute AWS Lambda AWS IAM Group
CreateGroup

ModifySnapshotAttribute AWS EBS CreateRole


AssumeRole
CreateInstanceProfile
Role
PutBucketPolicy UpdateAssumeRolePolicy
AWS S3 AttachRolePolicy
PutBucketAcl
PutRolePolicy
Privilege
RestoreDBInstanceFromDBSnapshot AWS RDS Exfiltration escalation
CreatePolicy
Policy
CreatePolicyVersion

ConsoleLogin
Head*
GetFederationToken
Get*
AWS Services Console/CLI GetSessionToken

AWS
List*
Discovery Initial StartSession
Describe*
access GetAuthorizationToken
CloudTrail

CopyObject AWS Secrets


Manager GetSecretValue
GetObject
GetConsoleScreenshot AWS Services
Collection Credential
CreateSnapshot access

Persistence Amazon EC2 GetPasswordData

AWS Lambda AWS IAM Amazon EC2

CreateInstance
CreateUser
CreateKeyPair
CreateFunction CreateRole
CreateImage
UpdateFunctionCode UpdateAssumeRolePolicy
* represents a wildcard that can be CreateRepository
CreateAccessKey
PutImage
substituted for several AWS APIs www.expel.io
A closer look at
tactics, techniques
and API calls To help you get a better sense
of how we think about our
investigations in AWS, let’s
take a closer look at the tactics,
techniques and associated API
calls attackers might use.

4 MITRE ATT&CK in Amazon Web Services (AWS): A defender’s cheat sheet


MITRE ATT&CK tactic:

Initial access
Initial
access
ƒ Why attackers do it: To gain access to your
AWS environment.

ƒ How attackers execute it: AWS console


or command-line interface. Console/CLI

ƒ Look for these API calls: ConsoleLogin,


GetFederationToken, GetSessionToken, StartSession
and GetAuthorizationToken. ConsoleLogin
GetFederationToken
GetSessionToken
ƒ Investigation tips and tricks: Review the StartSession
source of authentication, user-agent strings and the GetAuthorizationToken
credentials used to access the AWS environment.
Investigate the authenticating principal, geo-impossible
authentications, suspicious IP addresses and
anomalous authentication behavior to identify whether
this is legitimate access.

www.expel.io
Persistence
MITRE ATT&CK tactic:

Persistence
CreateUser
CreateRole
ƒ Why attackers do it: To maintain access to your AWS IAM
UpdateAssumeRolePolicy
AWS environment across any interruptions. CreateAccessKey

ƒ How attackers execute it: Identity and Access


Management (IAM), AWS Lambda and Amazon Elastic
Compute Cloud (EC2).
CreateInstance
ƒ Look for these API calls: CreateFunction, CreateKeyPair
Amazon EC2 CreateImage
UpdateFunctionCode, CreateUser, CreateRole, CreateRepository
UpdateAssumeRolePolicy, CreateAccessKey, PutImage
CreateInstance, CreateKeyPair, CreateImage,
CreateRepository and PutImage.

ƒ Investigation tips and tricks: Look out for


new or updated IAM resources, Amazon EC2 resources
or backdoor Lambda functions. Persistence in these CreateFunction
AWS Lambda
UpdateFunctionCode
services is intended to provide the attacker a means
to re-enter the AWS environment. Attackers may also
rotate access keys for compromised accounts.

6 MITRE ATT&CK in Amazon Web Services (AWS): A defender’s cheat sheet


Privilege
MITRE ATT&CK tactic: escalation

Privilege escalation AWS IAM AWS Lambda

CreateFunction
UpdateFunctionConfiguration
ƒ Why attackers do it: To gain higher-level UpdateFunctionCode

permissions within your AWS environment and


complete their objective(s). Elevated permissions are
typically required to establish persistence, access CreateUser
credentials and perform collection and exfiltration. CreateLoginProfile
UpdateProfile
User CreateLoginProfile
ƒ How attackers execute it: AWS IAM and PutUserPolicy
AWS Lambda. AttachUserPolicy
AddUserToGroup

ƒ Look for these API calls: CreateFunction,


UpdateFunctionConfiguration, UpdateFunctionCode, PutGroupPolicy
Group
CreateGroup
CreatePolicy, CreatePolicyVersion, CreateRole,
AssumeRole, CreateInstanceProfile,
UpdateAssumeRolePolicy, AttachRolePolicy and CreateRole
AssumeRole
PutRolePolicy. CreateInstanceProfile
Role
UpdateAssumeRolePolicy
ƒ Investigation tips and tricks: Look out for AttachRolePolicy
PutRolePolicy
IAM groups, roles, policies or users being created
or modified after unauthorized access. The attacker
may attach IAM resources to a compromised or newly Policy
CreatePolicy
CreatePolicyVersion
created user to inherit elevated permissions. Lambda
functions may also be used to automate the abuse of
IAM resources to gain these permissions. www.expel.io
MITRE ATT&CK tactic:

Credential access
Credential
access
ƒ Why attackers do it: To access and acquire
credentials in the AWS environment. Stolen credentials
may allow attackers to gain access to different AWS
resources, settings and permissions.
AWS Secrets GetSecretValue
Manager
ƒ How attackers usually execute it: Amazon
EC2 and AWS Secrets manager.

ƒ Look for these API calls: GetPasswordData


and GetSecretValue.

ƒ Investigation tips and tricks: Review the Amazon EC2 GetPasswordData

principal authentication details, source of activity and


other API calls performed by the Amazon Resource
Name (ARN) to see if this behavior is abnormal. An
attacker will likely have performed a series of other
events prior to attempting to access credentials.

8 MITRE ATT&CK in Amazon Web Services (AWS): A defender’s cheat sheet


MITRE ATT&CK tactic:

Discovery
Discovery
ƒ Why attackers do it: To discover and enumerate
sensitive information about the AWS environment.

ƒ How attackers usually execute it:


AWS services. AWS Services

ƒ Look for these API calls: Majority of APIs that


begin with Get*, List*, Head* and Describe*.
Head*
Get*
ƒ Investigation tips and tricks: Automated List*
reconnaissance typically occurs in bursts and can be Describe*
noisy in CloudTrail logs. Investigate the principal and the
ARN to see if these API calls are inline with expected
behavior. A time series of API calls can be helpful when
determining if these API calls are expected behavior.

www.expel.io
* represents a wildcard that can be substituted for several AWS APIs
MITRE ATT&CK tactic:

Collection
Collection
ƒ Why attackers do it: To collect sensitive data
from AWS resources and services. Attackers typically
exfiltrate collected data to their own infrastructure.

ƒ How attackers usually execute it: Amazon AWS Services


EC2 and Amazon Simple Storage Service (S3).

ƒ Look for these API calls: CopyObject,


GetObject, GetConsoleScreenshot and CopyObject
GetObject
CreateSnapshot. GetConsoleScreenshot
CreateSnapshot
ƒ Investigation tips and tricks: Look out
for any data collection from S3 buckets and EC2
instances. Investigate the principal to see where they
authenticated from and if they typically interact with
these AWS services to collect sensitive information.
Historical CloudTrail logs for these resources and API
calls may also provide insight into whether or not this
is expected activity in the environment.

10 MITRE ATT&CK in Amazon Web Services (AWS): A defender’s cheat sheet


Exfiltration
MITRE ATT&CK tactic:

Exfiltration ModifySnapshotAttribute
AWS
AWSAMI
IAM
ModifyImageAttribute

ƒ Why attackers do it: To remove sensitive


information and data from the AWS environment
to attacker-controlled infrastructure.

ƒ How attackers usually execute it: Amazon Amazon


AWS EBSEC2 ModifySnapshotAttribute

Machine Image (AMI), Amazon Elastic Block Store (EBS),


Amazon S3 and Amazon Relational Database Service
(RDS).

ƒ Look for these API calls: PutBucketPolicy


Amazon
AWS S3EC2
ModifySnapshotAttribute, ModifyImageAttribute, PutBucketAcl
ModifySnapshotAttribute, PutBucketPolicy,
PutBucketAcl, RestoreDBInstanceFromDBSnapshot.

ƒ Investigation tips and tricks: Look out for


any abnormal changes to AWS AMI, EBS, S3 and AWS RDS RestoreDBInstanceFromDBSnapshot
RDS services that would allow the attacker to copy,
move or make the resources publicly available –
especially if there isn’t a known business need. If you
spot suspected exfiltration, investigate the ARN and
principal’s previous API calls, source and method of
authentication along with user-agent string to see if
this is inline with normal behavior. www.expel.io
(this is the last page)

Our SOC-as-a-service capability offers 24x7 security monitoring and response for cloud, hybrid and on-premises environments. We use the security signals
our customers already own so organizations can get more value from their existing security investments. We connect to customer tech remotely through
APIs, not agents, so our SOC can start monitoring a customer’s environment in a matter of hours, letting their internal teams get back to focusing on the
most strategic security priorities that are unique to their business. Learn more at www.expel.io.

© 2020 Expel, Inc.

You might also like