Data Source: Amazon EC2 | Detection.FYI

AWS EC2 User Data Retrieval for EC2 Instance

Feb 3, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon EC2 Resources: Investigation Guide Use Case: Log Auditing Tactic: Discovery ·
Share on:

Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies when aws.cloudtrail.user_identity.arn requests the user data for a specific aws.cloudtrail.flattened.request_parameters.instanceId from an EC2 instance in the last 14 days.

Read More
AWS EC2 Admin Credential Fetch via Assumed Role

Jan 22, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon EC2 Use Case: Identity and Access Audit Resources: Investigation Guide Tactic: Credential Access ·
Share on:

Identifies the first occurrence of a user identity in AWS using GetPassword for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.

Read More