AWS Cloud Trail AWS AMI Publicly Exposed

// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md AWSCloudTrail | where EventName == "ModifyImageAttribute" | mv-expand Item = todynamic(RequestParameters)["launchPermission"]["add"]["items"] | where Item["userId"] contains "*" or Item["group"] has "all" | invoke AWSIdentityRole() | project TimeGenerated, UserIdentityType, Identity, ActorRole, UserIdentityAccountId, UserIdentityAccountName, RecipientAccountId, RecipientAccountName, SessionCreationDate, UserIdentityPrincipalid, UserIdentityArn, SourceIpAddress, EventSource, EventTypeName, EventName, ManagementEvent, ReadOnly, ErrorCode, ErrorMessage, RequestParameters, ResponseElements, Resources, SessionMfaAuthenticated, UserAgent, AwsEventId

Explanation

This query is searching through AWS CloudTrail logs for events where the EventName is "ModifyImageAttribute". It then expands the RequestParameters to extract specific information about the modification, such as the user or group involved. It then invokes the AWSIdentityRole function to retrieve additional information about the user's identity and role. Finally, it projects a set of specific fields from the log data for further analysis.

Details

Jose Sebastián Canós

Released: February 12, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,EventName,ModifyImageAttribute,Item,RequestParameters,launchPermission,add,userId,group,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

KQL Search