Accelerate Security with Threat Stack Telemetry

The information button exposes all of the telemetry associated with the alert:

As an aside: There are many ways users can customize alerting to their own environments. In fact, many of the downstream behaviors we’ll observe here could be good candidates for alerting. But going forward, I’m going to focus on the raw telemetry that Threat Stack records.

We can pivot from this alert to Threat Stack’s Event Search feature, which provides a full window into the past three days of activity in your environment. Here, we can use the agent_id to focus on the EC2 instance that triggered the alert and look for SSH login activity.

I’m restricting the timeframe via the UI, and here’s the Threat Stack Event Search query I’m using:

event_type = "login" AND agent_id = "436dd34c-f795-11ea-a752-21e3e3eb7c50"

Much like alerts, Threat Stack events allow you to see the full underlying telemetry:

Now that we’ve isolated the login event, we can grab the timestamp to further narrow the search window.

Here’s how you can inspect an even smaller window of time via a query (big thanks to Threat Stack Lead Security Analyst Ethan Hansen for describing these techniques in “How to Track Agent-Based User Activity”):

agent_id = "436dd34c-f795-11ea-a752-21e3e3eb7c50" AND event_time >= 1600362902289 AND event_time <= 1600362992764

We’re looking for user actions immediately post-login, and see that the user “ubuntu” — an AWS default for Ubuntu AMIs — went ahead and elevated their permissions to “root”. Next, we’ll expand the time window slightly and continue retracing the attacker’s steps.

A lot happens here. First, we see the attacker look for credential files on the server. While the Linux command executed successfully, the absence of corresponding file OPEN events tells us that the credentials file doesn’t exist. (Threat Stack observes full CRUD operations for FIM events.) The default credentials file doesn’t exist because we’re using IAM roles on our EC2 instances. In general this is a best practice, but later we’ll see how poor hygiene with IAM roles for EC2 can benefit an attacker.

The attacker recognizes there must be a role attached to this instance, and uses curl https://169.254.169.254/latest/meta-data/iam/info to see what they’re working with. The role name must have looked promising, because their next step is to install the AWS Command Line Interface (awscli).

Continuing our investigation, we notice they issue an aws ec2 describe-instances command:

We can see if the role worked by checking the full AWS CloudTrail event stream that Threat Stack ingests:

The bones of this query are:

event_type = "cloudtrail" AND userType = "AssumedRole"

By noting that “arnRole” is set to assumed-role/ec2VpcRole/i-08c9216f243e53fd4, we can confirm that this EC2 instance (instance ID i-08c9216f243e53fd4) was successful. The attacker has now gathered intel about the other EC2 instances in the environment, including what roles and associated SSH keys they have.

We continue our investigation, looking for login events, and we find a suspicious candidate:

Here’s the basic query:

event_type = "login" AND event_time > 1600362961

I’ll grab the “agent_id” value here to use in the next query, along with the same timestamp.

For brevity, I’ll omit the following events, but here we observe the same behavior: Elevating permissions to root and installing the awscli. Next, they skip the call to the metadata service and use the awscli to poke around S3:

Here, we can observe an arnRole value of assumed-role/myS3Reader/i-03128a5b8b894002a, which confirms that the EC2 instance is able to access S3. It’s worth noting that I have followed AWS’s recommendation to “Block all public access” to my S3 buckets — but since this instance is on a private VPC, that setting won’t protect us if the EC2 instance can use the proper IAM role.

Now, the cat is out of the bag by copying some secret data: aws s3 cp s3://omg-my-cookies/secret-data.txt secret-data-copy.txt