title: AWS ECS Backdoor Task Definition
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: experimental
description: |
  Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.
  This can indicate an adversary adding a backdoor to establish persistence or escalate privileges.
  This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
    - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
author: Darin Smith
date: 2022/06/07
tags:
    - attack.persistence
    - attack.t1525
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ecs.amazonaws.com
        eventName:
            - DescribeTaskDefinition
            - RegisterTaskDefinition
            - RunTask
        requestParameters.containerDefinitions.command|contains|all:
            - '169.254'
            - '$AWS_CONTAINER_CREDENTIALS'
    condition: selection
falsepositives:
    - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
level: medium