administrators or developers who are unaware of the deprecation status of amis they are using.

t1580
aws
elastic

Techniques

T1580

Sample rules

AWS EC2 Deprecated AMI Discovery

source: elastic
technicques:
- T1580

Description

Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: "DescribeImages"
    and event.outcome: "success"
    and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
    and aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner: *