{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-sagemaker/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon SageMaker"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","sagemaker","persistence","execution","backdoor","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat involves the abuse of Amazon SageMaker notebook lifecycle configurations by attackers to establish persistence, steal credentials, or execute arbitrary code within an AWS environment. Lifecycle configurations, specifically their OnStart or OnCreate scripts, run with root privileges on SageMaker notebook instances. Attackers who have gained initial access to an AWS account and possess sufficient IAM permissions can inject malicious scripts, often base64 encoded to evade detection, into these configurations. Upon the start or creation of a SageMaker notebook instance linked to such a configuration, the script automatically executes, allowing the adversary to perform actions like setting up reverse shells, exfiltrating EC2 instance metadata credentials, creating new persistence mechanisms via \u003ccode\u003ecrontab\u003c/code\u003e or \u003ccode\u003eauthorized_keys\u003c/code\u003e, or deploying cryptominers. This activity is a strong indicator of post-compromise activity and a high-fidelity signal for an active implant attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains valid AWS credentials for an account, possibly through phishing, exposed access keys, or compromise of another service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery \u0026amp; Privilege Escalation\u003c/strong\u003e: The attacker identifies that the compromised credentials possess permissions to create or update Amazon SageMaker Notebook Lifecycle Configurations (e.g., \u003ccode\u003esagemaker:CreateNotebookInstanceLifecycleConfig\u003c/code\u003e, \u003ccode\u003esagemaker:UpdateNotebookInstanceLifecycleConfig\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Configuration Creation/Update\u003c/strong\u003e: The attacker uses these permissions to either create a new SageMaker notebook lifecycle configuration or modify an existing one.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Injection\u003c/strong\u003e: A malicious shell script is injected into the \u003ccode\u003eOnStart\u003c/code\u003e or \u003ccode\u003eOnCreate\u003c/code\u003e section of the lifecycle configuration. This script often includes commands for reverse shells, credential exfiltration (e.g., from IMDS endpoint \u003ccode\u003e169.254.169.254\u003c/code\u003e), or persistence, and is frequently base64 encoded to obfuscate its content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment\u003c/strong\u003e: The attacker then associates this malicious lifecycle configuration with a SageMaker notebook instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution on Instance Start/Create\u003c/strong\u003e: When the affected SageMaker notebook instance is subsequently started or newly created, the injected \u003ccode\u003eOnStart\u003c/code\u003e or \u003ccode\u003eOnCreate\u003c/code\u003e script automatically executes with \u003ccode\u003eroot\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Execution Activities\u003c/strong\u003e: The executed script performs its malicious payload, such as establishing a persistent reverse shell connection, gathering temporary AWS credentials from the EC2 Instance Metadata Service (IMDS), configuring cron jobs, modifying SSH \u003ccode\u003eauthorized_keys\u003c/code\u003e, or deploying cryptomining software.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains persistent code execution capabilities, potentially exfiltrates sensitive AWS credentials, or further compromises the AWS environment, leading to data theft or resource abuse.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf this attack succeeds, the impact can be severe, leading to unauthorized access, data exfiltration, and resource abuse within the compromised AWS environment. Attackers gain \u003ccode\u003eroot\u003c/code\u003e access to SageMaker notebook instances, enabling them to steal sensitive data, pivot to other AWS services using compromised execution role credentials, or establish long-term persistence within the organization's cloud infrastructure. This can result in significant financial losses due to resource misuse (e.g., cryptomining), reputational damage, and regulatory penalties. The scope of victims could include any organization utilizing Amazon SageMaker that has an AWS account vulnerable to credential compromise or misconfigured IAM policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided ESQL detection logic (FROM logs-aws.cloudtrail-... \u003ccode\u003eRLIKE\u003c/code\u003e \u0026quot;.*(/dev/tcp/|/dev/udp/|bash -i|...\u0026quot;).\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eEsql_priv.aws_cloudtrail_lifecycle_script\u003c/code\u003e field for any suspicious patterns or decoded content when this rule alerts.\u003c/li\u003e\n\u003cli\u003eInvestigate the principal identified in \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and correlate with \u003ccode\u003esource.ip\u003c/code\u003e and \u003ccode\u003euser_agent.original\u003c/code\u003e to determine if the activity was from an expected location or user.\u003c/li\u003e\n\u003cli\u003eIf unauthorized, immediately remove the affected lifecycle configuration and stop any SageMaker notebook instances associated with it.\u003c/li\u003e\n\u003cli\u003eRotate the credentials for the notebook execution role and any IAM principal identified in \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e that performed the suspicious action.\u003c/li\u003e\n\u003cli\u003eImplement strong IAM policies to restrict \u003ccode\u003esagemaker:CreateNotebookInstanceLifecycleConfig\u003c/code\u003e and \u003ccode\u003esagemaker:UpdateNotebookInstanceLifecycleConfig\u003c/code\u003e permissions to only trusted administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:40:50Z","date_published":"2026-07-03T15:40:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-sagemaker-malicious-lifecycle-script/","summary":"This brief details how attackers can leverage compromised AWS credentials to inject malicious, base64-encoded scripts into Amazon SageMaker notebook lifecycle configurations, which then execute as root on notebook instances, enabling persistence, credential theft, or further compromise of the AWS environment.","title":"AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-sagemaker-malicious-lifecycle-script/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon SageMaker","version":"https://jsonfeed.org/version/1.1"}