|
Resource Hijacking: Compute Hijacking - WorkSpaces
AWS Specific Sub-Technique
Other sub-techniques of Resource Hijacking (8)
| ID | Name |
|---|---|
| T1496.004 | Cloud Service Hijacking |
| T1496.A007 | Cloud Service Hijacking - Bedrock LLM Abuse |
| T1496.A001 | Cloud Service Hijacking - SES Messaging |
| T1496.001 | Compute Hijacking |
| T1496.A008 | Compute Hijacking - EC2 Use |
| T1496.A006 | Compute Hijacking - ECS |
| T1496.A009 | Compute Hijacking - WorkSpaces |
| T1496.003 | SMS Pumping |
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform WorkSpaces-related actions.
With access to an AWS identity that has the appropriate permissions, threat actors can create new Amazon WorkSpaces instances to hijack computing resources or establish unintended remote desktop environments. Creating unintended WorkSpaces may allow threat actors to maintain persistent access to the customer environment, consume resources for cryptomining, or establish a foothold for further malicious activities. This technique can result in significant resource consumption and inappropriate access to corporate networks through virtual desktop infrastructure.
With access to an AWS identity that has the appropriate permissions, threat actors can create new Amazon WorkSpaces instances to hijack computing resources or establish unintended remote desktop environments. Creating unintended WorkSpaces may allow threat actors to maintain persistent access to the customer environment, consume resources for cryptomining, or establish a foothold for further malicious activities. This technique can result in significant resource consumption and inappropriate access to corporate networks through virtual desktop infrastructure.
Detection
You can use the Event history page in the AWS CloudTrail console to view the past 90 days of management events in an AWS Region for WorkSpaces-related actions such as
A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.
You can create CloudWatch metric filters to monitor for specific API calls and configure alerts when unusual activity is detected. For examples of WorkSpaces API operations, see the WorkSpaces CloudTrail reference here.
workspaces:CreateWorkspaces.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.
You can create CloudWatch metric filters to monitor for specific API calls and configure alerts when unusual activity is detected. For examples of WorkSpaces API operations, see the WorkSpaces CloudTrail reference here.
Mitigation
Apply least privilege principles using IAM policies that restrict WorkSpaces-related permissions to only authorized users and roles. Example policy to restrict WorkSpaces creation to specific source IP address:
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "workspaces:CreateWorkspaces",
"Resource": " arn:aws:workspaces:::workspacebundle/",
"Condition": {
"aws:SourceIp": "192.168.192.168",
}
}
}
]
} You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.