cd

5 min read

AWS CloudTrail - CVE-2024-50603 Potential Exploitation Activity

Description

This query looks for suspicious activity from unknown IPs using assumed roles from the default aviatrix roles, aviatrix-role-ec2 and aviatrix-role-app, related to CVE-2024-50603. This query may need further adjustments to provide accurate results, including adjusint ARNs, known safe API cals, etc.

Query

let aviatrix_roles = dynamic(["arn:aws:iam::[AccountID]:role/aviatrix-role-ec2", "arn:aws:iam::[AccountID]:role/aviatrix-role-app"]);
let normal_api_calls = dynamic(["DescribeInstances", "ListBuckets", "GetObject"]); // Replace with your known benign APIs
let historical_ips = 
    AWSCloudTrail
    | where TimeGenerated between (ago(30d) .. ago(10d)) // Historical period: 90–10 days ago
    | where SessionIssuerArn in (aviatrix_roles)
    | summarize observed_ips = make_set(tostring(SourceIpAddress)) by UserIdentityArn;
AWSCloudTrail
| where TimeGenerated > ago(10d) // Last day's events
| where SessionIssuerArn in (aviatrix_roles) // Events where "Acting As" matches Aviatrix roles
| extend abnormal_api = not(OperationName in (normal_api_calls)) // Mark unusual API calls
| extend SourceIPAddress = tostring(SourceIpAddress) // Ensure the field is a string
| join kind=leftanti (
    historical_ips
    | mv-expand observed_ips // Expand dynamic list into individual records
    | extend observed_ips = tostring(observed_ips) // Cast to string
) on $left.SourceIPAddress == $right.observed_ips // Compare IPs
| project TimeGenerated, UserIdentityArn, SourceIPAddress, OperationName, abnormal_api, EventSource, AWSRegion

MITRE ATT&CK

IDTechniqueTactic
T1203Exploitation for Client ExecutionExecution

Analytic Rule

  • Yaml:
  • ARM:

Notes

This sample query is based on work published by Wiz research: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603