Skip to content
Threat Feed
critical advisory

AWS Credential Access via GetPasswordData API Abuse

An attacker attempts to retrieve encrypted administrator passwords for running Windows instances by abusing the AWS GetPasswordData API, potentially leading to full control over the affected instances.

This brief focuses on detecting potential credential access attempts within AWS environments. An adversary may attempt to retrieve the encrypted administrator passwords of running Windows instances by abusing the GetPasswordData API. The GetPasswordData API is a legitimate AWS function, but excessive or unusual use may indicate malicious activity. Specifically, this analytic identifies instances where more than 10 GetPasswordData API calls are made within a 5-minute window. Successfully retrieving these passwords would grant the attacker unauthorized access to the administrative credentials, enabling them to take full control over the targeted instances and potentially compromise the entire AWS environment.

Attack Chain

  1. The attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed IAM role (TA0001).
  2. The attacker enumerates running EC2 instances within the AWS environment to identify potential targets.
  3. The attacker makes repeated calls to the GetPasswordData API for various instances.
  4. AWS CloudTrail logs record the GetPasswordData API calls, including the instance IDs accessed and the source IP address.
  5. The attacker retrieves the encrypted administrator passwords for the targeted Windows instances.
  6. The attacker decrypts the retrieved passwords using the corresponding private key.
  7. The attacker uses the decrypted administrator credentials to log into the targeted Windows instances via RDP or other remote access protocols.
  8. The attacker gains full control over the compromised instances, allowing them to install malware, steal data, or pivot to other resources within the AWS environment.

Impact

A successful attack can lead to complete compromise of the targeted EC2 instances and potentially the entire AWS environment. The attacker gains unauthorized access to administrative credentials, enabling them to install malware, steal sensitive data, disrupt services, or use the compromised instances as a launchpad for further attacks. This could result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

  • Deploy the Sigma rule AWS Credential Access via Excessive GetPasswordData Calls to your SIEM and tune the threshold (distinct_instance_ids > 10) according to your environment and baselined activity.
  • Monitor AWS CloudTrail logs for anomalous GetPasswordData API activity, focusing on high-frequency calls and unusual source IP addresses (AWS CloudTrail GetPasswordData).
  • Investigate any alerts generated by the Sigma rule, paying close attention to the user accounts and instances involved (rule output).
  • Implement multi-factor authentication (MFA) for all AWS accounts, especially those with IAM roles that have permissions to call GetPasswordData (AWS Account).
  • Enforce strong password policies and regularly rotate passwords for all AWS accounts (AWS Account).
  • Review and restrict IAM role permissions to limit access to sensitive APIs like GetPasswordData to only those who need it (AWS Account).

Detection coverage 2

AWS Credential Access via Excessive GetPasswordData Calls

high

Detects excessive GetPasswordData API calls, indicating potential credential access attempts.

sigma tactics: credential_access techniques: T1552 sources: cloudtrail, aws

AWS Credential Access - GetPasswordData from Unusual Source IP

medium

Detects GetPasswordData API calls originating from IP addresses not commonly associated with AWS administration.

sigma tactics: credential_access techniques: T1552 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →