Product
high
advisory
Malicious Usage of AWS IMDS Credentials Outside of Expected Services
2 rules 3 TTPsCompromised EC2 instances may be leveraged to exfiltrate and misuse AWS Instance Metadata Service (IMDS) credentials to perform actions outside of the expected AWS Simple Systems Manager (SSM) service, indicating potential lateral movement or data exfiltration.
EC2
attack.privilege-escalation
attack.initial-access
attack.persistence
attack.stealth
attack.t1078
attack.t1078.002
2r
3t
high
advisory
AWS EC2 Stop, Start, and User Data Modification Correlation
3 rules 2 TTPsDetection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.
EC2
aws
user-data
privilege-escalation
persistence
execution
3r
2t
high
advisory
AWS EC2 Instance Profile Associated with Running Instance
2 rules 2 TTPsAn attacker may escalate privileges by associating a compromised EC2 instance with a more privileged IAM instance profile.
EC2 +1
aws
privilege-escalation
lateral-movement
2r
2t