☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview:
  • 1. Unauthorized Instance Launch (RunInstances)
  • 2. Security Group Changes (AuthorizeSecurityGroupIngress/RevokeSecurityGroupIngress)
  • 3. Stopping or Terminating EC2 Instances (StopInstances/TerminateInstances)
  • 4. Modifying IAM Role Attached to EC2 (AssociateIamInstanceProfile)
  • 5. Metadata Exploitation Detection (GetInstanceMetadata/DescribeInstances)
  • 6. Disabling Security Monitoring (DisableAlarmActions)
  • 7. Snapshot Creation and Copying (CreateSnapshot/CopySnapshot)
  • 8. Changes to Key Pairs (ImportKeyPair/DeleteKeyPair)
  • 9. Root or Privileged API Calls (AssumeRole/AssumeRoleWithSAML)
  • 10. Unusual API Usage (DescribeSecurityGroups/DescribeInstances)
  1. Threat Hunting in AWS
  2. AWS Threat Hunting Ideas

AWS Threat Hunting Ideas: EC2

Overview:

The following are basic ideas of threat hunting searches that can be done within EC2 instances.

1. Unauthorized Instance Launch (RunInstances)

  • Goal: Detect unauthorized EC2 instance creation (e.g., rogue instances).

  • CloudTrail Event: RunInstances

  • Hunting Idea:

    • Identify EC2 instances launched outside business hours or in unexpected regions.

      bashCopy codeaws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances

    • Look for instances launched using unusual instance types (e.g., GPU-enabled instances often used in cryptomining).

2. Security Group Changes (AuthorizeSecurityGroupIngress/RevokeSecurityGroupIngress)

  • Goal: Detect attackers opening critical ports (e.g., SSH or RDP) or removing security controls.

  • CloudTrail Event: AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress

  • Hunting Idea:

    • Identify unauthorized changes that open ports like 22 (SSH) or 3389 (RDP).

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AuthorizeSecurityGroupIngress

    • Correlate with other suspicious activity (e.g., an unauthorized user changing security groups and logging in via SSH).

3. Stopping or Terminating EC2 Instances (StopInstances/TerminateInstances)

  • Goal: Detect instances being shut down or destroyed maliciously.

  • CloudTrail Event: StopInstances, TerminateInstances

  • Hunting Idea:

    • Monitor for StopInstances or TerminateInstances requests, especially during unusual times or from unexpected users.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TerminateInstances

    • Review the user identity and source IP to ensure authorized personnel issued the commands.

4. Modifying IAM Role Attached to EC2 (AssociateIamInstanceProfile)

  • Goal: Detect privilege escalation via IAM role changes on EC2 instances.

  • CloudTrail Event: AssociateIamInstanceProfile or ReplaceIamInstanceProfileAssociation

  • Hunting Idea:

    • Hunt for new IAM roles associated with EC2 instances that grant broader privileges than the previous roles.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssociateIamInstanceProfile

    • Identify if critical roles like AdministratorAccess or other privileged policies were attached to instances.

5. Metadata Exploitation Detection (GetInstanceMetadata/DescribeInstances)

  • Goal: Detect attempts to abuse metadata services (e.g., to steal IAM credentials).

  • CloudTrail Event: DescribeInstances

  • Hunting Idea:

    • Look for frequent DescribeInstances calls, which may indicate enumeration by an attacker.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DescribeInstances

    • Identify instances making outbound requests to metadata IP (169.254.169.254) to fetch credentials.

6. Disabling Security Monitoring (DisableAlarmActions)

  • Goal: Detect attackers disabling CloudWatch alarms to avoid detection.

  • CloudTrail Event: DisableAlarmActions

  • Hunting Idea:

    • Monitor for DisableAlarmActions events targeting alarms related to EC2 monitoring.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DisableAlarmActions

    • Correlate with other suspicious activity, such as privilege escalation or large outbound network transfers.

7. Snapshot Creation and Copying (CreateSnapshot/CopySnapshot)

  • Goal: Detect potential data theft by creating snapshots of sensitive volumes.

  • CloudTrail Event: CreateSnapshot, CopySnapshot

  • Hunting Idea:

    • Hunt for CreateSnapshot events targeting volumes attached to critical instances.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateSnapshot

    • Check if snapshots are copied to external or unauthorized AWS accounts using CopySnapshot.

8. Changes to Key Pairs (ImportKeyPair/DeleteKeyPair)

  • Goal: Detect unauthorized modifications to SSH keys used to access EC2 instances.

  • CloudTrail Event: ImportKeyPair, DeleteKeyPair

  • Hunting Idea:

    • Monitor for ImportKeyPair events to identify unauthorized SSH key uploads.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ImportKeyPair

    • Look for deletions (DeleteKeyPair) that could indicate an attacker trying to block legitimate access.

9. Root or Privileged API Calls (AssumeRole/AssumeRoleWithSAML)

  • Goal: Detect suspicious role assumptions tied to EC2 instances.

  • CloudTrail Event: AssumeRole, AssumeRoleWithSAML

  • Hunting Idea:

    • Hunt for AssumeRole events involving roles with administrative or privileged access.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole

    • Cross-reference with EC2 operations to determine if the role was used for malicious activity.

10. Unusual API Usage (DescribeSecurityGroups/DescribeInstances)

  • Goal: Detect enumeration or reconnaissance activities by attackers.

  • CloudTrail Event: DescribeSecurityGroups, DescribeInstances

  • Hunting Idea:

    • Identify unusually frequent or automated calls to DescribeInstances or DescribeSecurityGroups APIs.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DescribeSecurityGroups

    • Monitor whether the API calls originate from unfamiliar IP addresses or unusual user agents.

PreviousAWS Threat Hunting IdeasNextAWS Threat Hunting Ideas: Lambda

Last updated 8 months ago