Tag

Ec2

5 briefs RSS

AWS EC2 Role GetCallerIdentity from New Source AS Organization

The rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.

Amazon Web Services cloud aws getcalleridentity ec2 discovery

2r 1t 3d ago

medium advisory

AWS EC2 LOLBin Execution via SSM SendCommand

2 rules 2 TTPs

Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.

aws ec2 ssm lolbin execution cloud

2r 2t 3w ago

medium advisory

Suspicious AWS EC2 Key Pair Import Activity

2 rules 1 TTP

The import of SSH key pairs into AWS EC2, as detected by CloudTrail logs, may indicate unauthorized access attempts, persistence establishment, or privilege escalation by an attacker.

Elastic Compute Cloud aws cloudtrail ec2 keypair initial-access persistence privilege-escalation

2r 1t Dec 19, 2024

medium advisory

Suspicious AWS EC2 Key Pair Creation from Non-Cloud AS

2 rules 3 TTPs

An AWS EC2 CreateKeyPair event triggered by a new principal originating from a network autonomous system (AS) organization not associated with major cloud providers, indicating potential unauthorized access or persistence activity.

Amazon EC2 aws ec2 keypair persistence credential_access lateral_movement

2r 3t Jan 3, 2024

high advisory

AWS EC2 Stop, Start, and User Data Modification Correlation

3 rules 2 TTPs

Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.

EC2 aws user-data privilege-escalation persistence execution

3r 2t Jan 3, 2024