AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role

  1[metadata]
  2creation_date = "2024/04/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first occurrence of an unauthorized attempt by an AWS role to use `GetPassword` to access the administrator password of an EC2 instance. 
 11Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.
 12"""
 13from = "now-6m"
 14interval = "5m"
 15index = ["filebeat-*", "logs-aws.cloudtrail*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role"
 19note = """
 20## Triage and analysis
 21
 22### Investigating AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
 23
 24This rule detects the first occurrence of a role using the `GetPasswordData` API call, which retrieves the administrator password, against an unauthorized EC2 instance in AWS. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances.
 25
 26This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.
 27
 28#### Possible Investigation Steps
 29
 30- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user.
 31- **Review Request Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.error_message` fields to understand the context of the API call.
 32- **Contextualize with User Behavior**: Compare this activity against the role's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the role prior to and following the incident.
 33- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password retrieval was attempted. Assess the criticality and sensitivity of the applications running on this instance.
 34- **Examine Related CloudTrail Events**: Search for other API calls made by the same role, especially those modifying security groups, network access controls, or instance metadata.
 35- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity.
 36
 37### False Positive Analysis
 38
 39- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates.
 40- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes.
 41
 42### Response and Remediation
 43
 44- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse.
 45- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances.
 46- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems.
 47- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`.
 48
 49### Additional Information
 50
 51Refer to resources like [AWS privilege escalation methods](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) and the MITRE ATT&CK technique [T1552.005 - Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005/) for more details on potential vulnerabilities and mitigation strategies.
 52
 53"""
 54references = [
 55    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc",
 56]
 57risk_score = 47
 58rule_id = "8446517c-f789-11ee-8ad0-f661ea17fbce"
 59severity = "medium"
 60tags = [
 61    "Domain: Cloud",
 62    "Data Source: AWS",
 63    "Data Source: Amazon Web Services",
 64    "Data Source: AWS EC2",
 65    "Use Case: Identity and Access Audit",
 66    "Resources: Investigation Guide",
 67    "Tactic: Credential Access",
 68]
 69timestamp_override = "event.ingested"
 70type = "new_terms"
 71
 72query = '''
 73event.dataset:"aws.cloudtrail"
 74    and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData"
 75    and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation"
 76'''
 77
 78[rule.investigation_fields]
 79field_names = [
 80    "@timestamp",
 81    "user.name",
 82    "user_agent.original",
 83    "source.address",
 84    "aws.cloudtrail.user_identity.arn",
 85    "aws.cloudtrail.user_identity.type",
 86    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
 87    "aws.cloudtrail.user_identity.access_key_id",
 88    "event.action",
 89    "event.outcome",
 90    "aws.cloudtrail.error_code",
 91    "aws.cloudtrail.request_parameters",
 92    "cloud.account.id",
 93    "cloud.region"
 94]
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1552"
100name = "Unsecured Credentials"
101reference = "https://attack.mitre.org/techniques/T1552/"
102[[rule.threat.technique.subtechnique]]
103id = "T1552.005"
104name = "Cloud Instance Metadata API"
105reference = "https://attack.mitre.org/techniques/T1552/005/"
106
107
108
109[rule.threat.tactic]
110id = "TA0006"
111name = "Credential Access"
112reference = "https://attack.mitre.org/tactics/TA0006/"
113
114[rule.new_terms]
115field = "new_terms_fields"
116value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"]
117[[rule.new_terms.history_window_start]]
118field = "history_window_start"
119value = "now-7d"