Encrypted administrator password retrieved for Windows EC2 instance

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the GetPasswordData API call.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  1. If the API call was made by the user:
  • Determine if this user should be accessing this EC2 instance.
  • If Yes, advise the user to speak with the instance owner to resolve the error.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.