security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/hunting/aws/docs/ec2_modify_instance_attribute_user_data.md
T
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00

1.9 KiB
Raw Permalink Blame History

EC2 Modify Instance Attribute User Data

Metadata

  • Author: Elastic

  • Description: This hunting query identifies when a user modifies the user data attribute of an EC2 instance. The user data attribute is a script that runs when the instance is launched. Modifying the user data attribute could indicate an adversary attempting to gain persistence or execute malicious code on the instance.

  • UUID: f11ac62c-5f42-11ef-9d72-f661ea17fbce

  • Integration: aws.cloudtrail

  • Language: [ES|QL]

  • Source File: EC2 Modify Instance Attribute User Data

Query

from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where
    event.provider == "ec2.amazonaws.com"
    and event.action == "ModifyInstanceAttribute"
    and aws.cloudtrail.request_parameters RLIKE ".*attribute=userData.*"
| dissect aws.cloudtrail.request_parameters "{%{instance_id_key}=%{instance_id}, %{attribute_key}=%{attribute}, %{value_key}=%{value}}"
| stats user_attribute_modify_count = count(*) by aws.cloudtrail.user_identity.arn, event.outcome

Notes

  • Use the instance_id field to identify the EC2 instance for which the user data attribute was modified
  • Pivot into the EC2 instance if possible and examine the user data script ('/var/lib/cloud/instance/scripts/userdata.txt') for malicious content
  • To modify an EC2 instance's user data attribute, the instance must be stopped, therefore check for StopInstances API calls in event.action field to determine if the instance was stopped and started
  • AWS redacts the value of the user_data attribute in the CloudTrail logs, so the actual script content will not be visible in the logs

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink