rules/cloud/aws/aws_ec2_download_userdata.yml

title: AWS EC2 Download Userdata
id: 26ff4080-194e-47e7-9889-ef7602efed0c
status: experimental
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
author: faloker
date: 2020/02/11
modified: 2021/08/20
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        requestParameters.attribute: userData
        eventName: DescribeInstanceAttribute
    timeframe: 30m
    condition: selection_source | count() > 10
falsepositives:
    - Assets management software like device42
level: medium
tags:
    - attack.exfiltration 
    - attack.t1020
Update rules titles 2020-02-12 23:09:16 +02:00			`title: AWS EC2 Download Userdata`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`id: 26ff4080-194e-47e7-9889-ef7602efed0c`
			`status: experimental`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`author: faloker`
			`date: 2020/02/11`
Update AWS CloudTrail rules 2021-08-20 13:43:00 +01:00			`modified: 2021/08/20`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`references:`
Update AWS CloudTrail rules 2021-08-20 13:43:00 +01:00			`- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Correct the indentation 2020-02-12 22:48:46 +02:00			`service: cloudtrail`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`detection:`
Correct the indentation 2020-02-12 22:48:46 +02:00			`selection_source:`
$frack113$ split PR 1802 fix rules 2021-08-09 15:41:40 +02:00			`eventSource: ec2.amazonaws.com`
			`requestParameters.attribute: userData`
			`eventName: DescribeInstanceAttribute`
Correct the indentation 2020-02-12 22:48:46 +02:00			`timeframe: 30m`
$frack113$ split PR 1802 fix rules 2021-08-09 15:41:40 +02:00			`condition: selection_source \| count() > 10`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`falsepositives:`
			`- Assets management software like device42`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`level: medium`
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00			`tags:`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`- attack.exfiltration`
Correct the indentation 2020-02-12 22:48:46 +02:00			`- attack.t1020`