AWS EC2 Download Userdata
Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
Sigma rule (View on GitHub)
1title: AWS EC2 Download Userdata
2id: 26ff4080-194e-47e7-9889-ef7602efed0c
3status: unsupported
4description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
5references:
6 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py
7author: faloker
8date: 2020/02/11
9modified: 2023/03/24
10tags:
11 - attack.exfiltration
12 - attack.t1020
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: ec2.amazonaws.com
19 requestParameters.attribute: userData
20 eventName: DescribeInstanceAttribute
21 timeframe: 30m
22 condition: selection_source | count() > 10
23falsepositives:
24 - Assets management software like device42
25level: medium
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- High DNS Bytes Out
- High DNS Bytes Out - Firewall
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate