Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Sigma rule (View on GitHub)

 1title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
 2id: 352a918a-34d8-4882-8470-44830c507aa3
 3status: experimental
 4description: |
 5    Detects when an instance identity has taken an action that isn't inside SSM.
 6    This can indicate that a compromised EC2 instance is being used as a pivot point.    
 7references:
 8    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
 9    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
10    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
11author: jamesc-grafana
12date: 2024/07/11
13tags:
14    - attack.privilege_escalation
15    - attack.defense_evasion
16    - attack.t1078
17    - attack.t1078.002
18logsource:
19    product: aws
20    service: cloudtrail
21detection:
22    selection:
23        userIdentity.arn|re: '.+:assumed-role/aws:.+'
24    filter_main_generic:
25        - eventSource: 'ssm.amazonaws.com'
26        - eventName: 'RegisterManagedInstance'
27        - sourceIPAddress: 'AWS Internal'
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
31level: high

References

Related rules

to-top