Skip to main content
  1. Posts/

[ AWS Threat Detection Part - 3 ] Detecting Attacks in AWS using CloudTrail Logs - Chapter 2

·829 words·4 mins·
TheDeadThinker
Author
TheDeadThinker
Table of Contents

Overview
#

In last part of cloudtrail log analysis we have identified that there are three suspicious ARN and 4 IPs out of which 2 belongs to the AWS and objects are downloaded from betadocumentsv2 s3 bucket and activity started around 4 Jul 2024 12:00, In this we will try to build a timeline of the events and find a conclusion exactly what services are compromised.

Details Identified
#

  • There are three suspicious ARN identified
arn:aws:sts::339712839666:assumed-role/EC2RoleForServers/i-0003a74a081eb21bb
arn:aws:sts::339712839666:assumed-role/aws:ec2-instance/i-0fcc1a99214f7dcdc
arn:aws:iam::339712839666:user/developer
  • Multiple IPs identified that need further investigation
36.50.238.1
18.188.58.36 // AWS IP
18.224.8.62  // AWS IP 
188.214.122.83
  • Objects downloaded from the betadocumentsv2 s3 bucket
network diagram - version 1.png
network diagram - version 0.1.png
  • Nearest time when suspicious events started 4 Jul 2024 12:00

Investigating ARNs & IPs
#

ARN: EC2RoleForServers
# 

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:sts::339712839666:assumed-role/EC2RoleForServers/i-0003a74a081eb21bb" 
| fillnull errorCode value=null  
| search errorCode=null
|  stats count by _time eventName sourceIPAddress

Let’s start with the EC2RoleForServers assumed role as it found first in the log.

This arn is identified mainly performing activities related to EC2 service like AuthorizeSecurityGroupIngress, CreateKeyPair,DescribeImages & RunInstances.

It means attacker after accessing server start creating the security groups and key pair, those can be used when attacker try to start new instance, before RunInstances DescribeImages API is used which provides the details about the AMI images available in the public or private AWS environment.

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:sts::339712839666:assumed-role/EC2RoleForServers/i-0003a74a081eb21bb" eventName="RunInstances"
| fillnull errorCode value=null  
| search errorCode=null
|  stats count by _time eventName sourceIPAddress responseElements.instancesSet.items{}.instanceId

Attacker only check for images own by the current organization and then uses RunInstances, hypothesis here is that maybe attacker found a AMI and used same AMI to spawn the instance, since DescribeImages don’t provide the details about the response, we can’t confirm this but in the RunInstances we can check for the request parameters as it will have all arguments passed to API like keypair, secuirtygroup, vpcID, AMI etc. and then compare with list of AMI we own or confirm with Cloud or Devops team.

Last Activity Time: 2024-07-04 13:04:00 UTC

ARN: i-0fcc1a99214f7dcdc
# 

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:sts::339712839666:assumed-role/aws:ec2-instance/i-0fcc1a99214f7dcdc" 
| fillnull errorCode value=null  
| search errorCode=null
|  stats count by _time eventName sourceIPAddress

If we check the instance ID carefully it is same instance which is spawn by EC2RoleForServers/i-0003a74a081eb21bb and it perform one activity RegisterManagedInstance

Last Activity Time: 2024-07-04 13:04:00 UTC

ARN: developer
# 

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:iam::339712839666:user/developer" 
| fillnull errorCode value=null  
| search errorCode=null
|  stats count by _time userIdentity.arn eventName sourceIPAddress

For developer user activity start from 2024-07-04 14:57:00 UTC and first IP used is 18.224.8.62. The activity starts after new instance is spawned and IP used is of same [ i-0fcc1a99214f7dcdc ] instance. It means attacker got access to developer user Access Keys and now using them. Hypothesis here is that developer user keys were stored in AMI image which is used by attacker to spawn new instance.

Attacker used two IPs, attacker may be using the credentials from EC2 [18.224.8.62] and from localsystem or another server [188.214.122.83], Ip doesn’t provide exact location details as it belongs to Proton VPN.

Initially there are read operations like ListBuckets DescribeImages, DescribeVolumes, DescribeTrails etc only one GetObject operation.

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:iam::339712839666:user/developer" eventName = GetObject
| fillnull errorCode value=null  
| search errorCode=null
|  stats count by _time eventName sourceIPAddress resources{}.ARN

Attacker downloaded objects from internalprojectaicode s3 bucket using IP 188.214.122.83.

Next Day [ 5 July 2024 ] Attacker performed operations like AttachUserPolicy, CreateAccessKey, CreateUser and this shows that they are now creating backdoor IAM user and AccessKeys.

index="tb-cloudtrail"   "userIdentity.arn"="arn:aws:iam::339712839666:user/developer" eventName IN("AttachUserPolicy","CreateAccessKey","CreateUser")
| fillnull errorCode value=null  
| search errorCode=null 
| spath path=requestParameters output=all_params
| eval requestParameters = replace(tostring(all_params), "[\{\}]", "")
|  spath path=responseElements output=res_params
| eval responseElements = replace(tostring(res_params), "[\{\}]", "")
|  stats count by _time eventName sourceIPAddress requestParameters responseElements

The new user created is SeniorDeveloperBreakGlass and AdministratorAccess policy is attached and keys are created, if we observe time all three activity occurred at the same time. It means attacker used some automation to perform the task.

Timeline
#

  • Attacker downloaded network diagrams from the betadocumentsv2 s3 bucket [IP: 36.50.238.1, ProtonVPN IP ]

  • Attacker got accessed to EC2 server, currently not sure how can be via any vulnerable hosted application, leaked ssh keys/passwords, 0 day, for this instance logs are required.

  • EC2 server have EC2RoleForServers attached, using this role attacker perform various read/write operations and possibly found AMI [ need confirmation from other teams ], and started the instances.

  • From newly spawned instance developer aws access keys are used, as activity from this user is observed first time during this period and the IP is same as EC2. [IP: 18.224.8.62 EC2 IP,188.214.122.83 ProtonVPN IP]

  • developer user also perform multiple read and write operations and Attacker downloaded objects from internalprojectaicode s3 bucket. [IP: 188.214.122.83 ProtonVPN IP]

  • developer user is used to create a new user by the name SeniorDeveloperBreakGlass and attached Administrator Policy and created AWS access keys.

Conclusion
#

We now know how to investigate any attacks using cloudtrails and how to build the timeline using the various evidence and activities we collect during investigation.