AWS EC2 Stop, Start, and User Data Modification Correlation

This detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the userData attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.

Attack Chain

1. An attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).
2. The attacker identifies a target EC2 instance.
3. The attacker uses the ModifyInstanceAttribute API call to update the userData attribute of the target instance, injecting malicious code or scripts.
4. The attacker uses the StopInstances API call to stop the target EC2 instance.
5. The attacker uses the StartInstances API call to start the target EC2 instance.
6. Upon instance start, the modified userData script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.
7. The attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.

Impact

Successful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.

Recommendation

• Deploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.
• Review CloudTrail logs for ModifyInstanceAttribute events with userData to identify potentially malicious modifications.
• Monitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.
• Implement least privilege IAM policies to restrict access to EC2 management APIs.
• Use AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in userData.
• Investigate any alerts generated by the Sigma rules and correlate them with other security events.