---
title: Possible AWS EC2 privilege escalation via the modification of user data
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Possible AWS EC2 privilege escalation
  via the modification of user data
---

# Possible AWS EC2 privilege escalation via the modification of user data
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect a user attempting to modify a [user data script](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) on an EC2 instance.

## Strategy{% #strategy %}

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:

- [`StopInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html)
- [`ModifyInstanceAttribute`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html)
- [`StartInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html)

## Triage and response{% #triage-and-response %}

1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.
1. If the API calls were not made by the user:

- Rotate user credentials.
- Determine what other API calls were made by the user.
- Follow your company's incident response process to determine the impact to `{{host}}`.
- Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html) or use the [AWS Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change).
If the API calls were made by the user:
- Determine if the user should be modifying this user data script.
- If No, see if other API calls were made by the user and determine if they warrant further investigation.