Possible AWS EC2 privilege escalation via the modification of user data

cloudtrail

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1037-boot-or-logon-initialization-scripts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect a user attempting to modify a user data script on an EC2 instance.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have modified the user data script associated with {{host}}.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Follow your company’s incident response process to determine the impact to {{host}}.
  • Revert the user data script to the last known good state with the aws-cli command modify-instance-attribute or use the AWS Console.
  1. If the API calls were made by the user:
  • Determine if the user should be modifying this user data script.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.