Possible AWS EC2 privilege escalation via the modification of user data

cloudtrail

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1037-boot-or-logon-initialization-scripts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect a user attempting to modify a user data script on an EC2 instance.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have modified the user data script associated with {{host}}.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Follow your company’s incident response process to determine the impact to {{host}}.
  • Revert the user data script to the last known good state with the aws-cli command modify-instance-attribute or use the AWS Console.
  1. If the API calls were made by the user:
  • Determine if the user should be modifying this user data script.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.