|
Exploit Public-Facing Application: EC2 Hosted Application Compromise
AWS Specific Sub-Technique
Other sub-techniques of Exploit Public-Facing Application (7)
| ID | Name |
|---|---|
| T1190.A016 | EC2 Hosted Application Compromise |
| T1190.A019 | Overly Permissive VPC Security Groups |
AWS Specific Content
A prerequisite for this technique is an Amazon EC2 instance hosting a vulnerable application
The operating system and/or application running on an Amazon EC2 instance can be compromised due to an unpatched operating system or software, or through a misconfigured application. It is common for an adversary to search for web applications that are open to the internet and scan for and exploit vulnerabilities within the web application. Once the application is compromised, the threat actor can use the underlying EC2 instance for their computation requirements with the cost of the resources being attributed to the compromised account.
Detection
AWS Specific Content
Configure, review, and monitor VPC Flow logs for access to the EC2 instance. If the EC2 instance is placed behind an ELB, ELB logs can also be reviewed for access to the EC2 instance. AWS GuardDuty provides detection for when EC2 instance credentials are accessed and used. Amazon GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events in specific AWS workloads in your environment and can detect post-compromise activity. Access logs, if configured as part of an EC2's operating system will also provide evidence of access - these are typically located in
/var/log/apache, /var/log/apache2, or /var/log/httpd. Information on how to configure an EC2 instance and CloudWatch Log Insights to view and monitor Apache server logs is available here.Mitigation
AWS Specific Content
Make sure that operating system, applications, plugins, and libraries are kept up to date. Assess and remediate applications for vulnerabilities according to the OWASP Top Ten. You can also use Amazon Inspector to detect OS and application vulnerabilities on EC2 instances using agent-based and agentless scans. For agentless scans, Amazon Inspector uses EBS snapshots to collect a software inventory from your instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages in Linux-based instances through Amazon Inspector deep inspection for Linux-based Amazon EC2 instances. Agentless scanning scans instances for operating system and application programming language package vulnerabilities. Additional information on scanning EC2 instances with Amazon Inspector is available here. Additionally, AWS WAF Managed Rules can be implemented to block attempts to exploit application and OS vulnerabilities. These rules are curated and maintained by the AWS Threat Research Team and provide protection against common application vulnerabilities or other unwanted traffic, without you having to write your own rules. For non-HTTP and non-HTTPS workloads, AWS Network Firewall can be used for detection and mitigation using IPS oriented rules.