AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Sigma rule (View on GitHub)
1title: AWS EC2 Startup Shell Script Change
2id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
3status: test
4description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
5references:
6 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
7author: faloker
8date: 2020-02-12
9modified: 2022-06-07
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.t1059.003
14 - attack.t1059.004
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection_source:
20 eventSource: ec2.amazonaws.com
21 requestParameters.attribute: 'userData'
22 eventName: ModifyInstanceAttribute
23 condition: selection_source
24falsepositives:
25 - Valid changes to the startup script
26level: high
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- Command Line Execution with Suspicious URL and AppData Strings
- Exploited CVE-2020-10189 Zoho ManageEngine
- File Was Not Allowed To Run
- HTML Help HH.EXE Suspicious Child Process
- HackTool - CrackMapExec Execution