AWS API Calls Invoked From TOR Exit Nodes

  • Published on Nov 11, 2024
Prev Next

Attack technique

Technique name: AWS API Calls Invoked From TOR Exit Nodes

MITRE ATT&CK
All techniques related to DS0025 and DS0010

Technique description
Attackers may leverage anonymization networks, such as The Onion Router (TOR), to obscure their network traffic and evade detection when accessing cloud services. By routing traffic through TOR exit nodes, they can mask their true IP address and location, complicating efforts to attribute and monitor malicious activity within the cloud environment.

Threat hunting theses breakdown

Relevant data sources: AWS Cloud Trail Logs

Thesis explanation
The thesis examines anomalous access patterns involving TOR exit nodes to cloud infrastructure, specifically identifying instances where AWS resources are accessed from TOR IP addresses. Using only relevant TOR exit nodes and aligning them with the incident's timestamp to verify if they were active in the TOR network at that specific time.

Blind spots

  • TOR IPs that were not published by the TOR exit nodes' website

Recommended investigation flow

  • Did the operation succeed?
    • Check CloudTrail Logs: Verify if the TOR-based access attempt resulted in a successful operation. Review the eventName and responseElements in CloudTrail logs for the requested operation, noting whether access was granted or denied.
  • Were there any attempts of lateral movement
    • Identify additional activity performed by the same user or role post-TOR access, especially within a similar timeframe. Check for actions that could indicate lateral movement, such as access to other resources, IAM policy modification, or the creation of new IAM users or roles.
  • Investigate the user and its permissions
    • Investigate recent login patterns to assess if the TOR access was an anomaly for this user. If other locations or IPs were used previously, this could indicate compromised credentials.
    • Look for changes to permissions, policy attachments, or the creation of new access keys by this user. Confirm if any of these actions could lead to privilege escalation.
  • Investigate the Resource
    • Determine the nature of the accessed resource. Identify whether it stores or processes sensitive data or if it’s critical to operations.
    • Review the resource’s access permissions, specifically checking for public or overly permissive configurations.
    • Verify whether the resource is publicly accessible and if it should be. For S3, confirm the bucket policy settings; for EC2, examine the security groups, and for RDS, check inbound access configurations.