Ec2 — CraftedSignal Threat Feed

AWS EC2 Role GetCallerIdentity from New Source AS Organization

hello@craftedsignal.io — Fri, 01 May 2026 20:57:28 +0000

This detection identifies when an EC2 instance role session calls the AWS STS GetCallerIdentity API from a source Autonomous System (AS) Organization name that has not been previously observed. The GetCallerIdentity API is often used by adversaries to validate stolen instance role credentials from infrastructure outside the victim’s normal egress points. By baselining the combination of identity and source network, the rule reduces noise associated with stable NAT or AWS-classified egress, focusing on truly novel access patterns. This detection is specifically designed to complement other rules that may detect general GetCallerIdentity calls, by excluding previously seen combinations of user identity and source AS organization.

Attack Chain

An attacker gains unauthorized access to an EC2 instance through methods like exploiting a Server-Side Request Forgery (SSRF) vulnerability, compromising application code or exploiting IMDS abuse.
The attacker leverages the instance’s IAM role to obtain temporary AWS credentials.
The attacker attempts to validate the stolen credentials using the GetCallerIdentity API call.
The GetCallerIdentity API call originates from an IP address associated with a new and unexpected Autonomous System Organization (ASO).
The AWS CloudTrail logs record the GetCallerIdentity event, including the user identity ARN and the source AS organization name.
The detection rule triggers due to the new combination of user identity and source AS organization.
The attacker uses the validated credentials to perform reconnaissance and identify valuable resources within the AWS environment (e.g., S3 buckets, databases).
The attacker attempts to exfiltrate sensitive data or deploy malicious workloads using the stolen credentials.

Impact

A successful attack can lead to unauthorized access to sensitive data stored within the AWS environment. The attacker may be able to escalate privileges, compromise other resources, and disrupt services. The potential impact includes data breaches, financial loss, and reputational damage. The lack of specific victim counts or sectors targeted suggests a broad applicability across various AWS users.

Recommendation

Deploy the Sigma rule “AWS EC2 Role GetCallerIdentity from New Source AS Organization” to your SIEM to detect suspicious activity.
Investigate alerts triggered by the Sigma rule, focusing on the aws.cloudtrail.user_identity.arn and source.as.organization.name fields.
Monitor AWS CloudTrail logs for GetCallerIdentity API calls, particularly those originating from unfamiliar source IP addresses and ASNs.
Revoke compromised IAM role sessions by stopping the affected EC2 instances or removing the role from the instance profile.
Rotate any long-lived secrets accessible by the EC2 instance, based on the aws.cloudtrail.user_identity.access_key_id.

AWS EC2 LOLBin Execution via SSM SendCommand

hello@craftedsignal.io — Fri, 10 Apr 2026 16:27:52 +0000

This threat brief focuses on detecting the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on Amazon EC2 instances via AWS Systems Manager (SSM) SendCommand API. The technique involves correlating AWS CloudTrail SendCommand events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. This is critical because adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access. They can leverage legitimate system utilities for various malicious purposes, including data exfiltration, establishing reverse shells, or facilitating lateral movement within the cloud environment. The rule was last updated on 2026-04-10.

Attack Chain

An attacker gains initial access to AWS via compromised credentials or an exposed IAM role.
The attacker uses the AWS CLI or API to initiate an SSM SendCommand to a target EC2 instance. The DocumentName parameter is set to AWS-RunShellScript.
The SSM agent on the EC2 instance receives the SendCommand request.
The SSM agent executes a shell script (_script.sh) within a dedicated directory for orchestration.
The shell script executes a LOLBin, such as curl, wget, python, or perl, to perform malicious actions. The parent process of the LOLBin will be the SSM shell script.
The LOLBin is used to download a malicious payload, establish a reverse shell, or exfiltrate data.
The attacker uses the established reverse shell to perform further actions on the EC2 instance.

Impact

Successful exploitation can lead to unauthorized access to EC2 instances, data exfiltration, deployment of malware, and lateral movement within the AWS environment. Although a number of impacted organizations is not available, this attack is able to bypass traditional network security controls. Organizations in any sector utilizing AWS EC2 instances and SSM are potentially at risk. The lack of required SSH or RDP access makes this technique particularly stealthy.

Recommendation

Enable AWS CloudTrail logging to capture SendCommand events and monitor for AWS-RunShellScript in the request_parameters.
Deploy the Sigma rule “Detect AWS EC2 LOLBin Execution via SSM SendCommand” to your SIEM and tune for your environment.
Monitor endpoint process execution logs for the execution of LOLBins like curl, wget, python, perl, nc, etc., with parent processes related to SSM.
Implement strict IAM policies to restrict SSM SendCommand permissions to only authorized users and roles.
Review and audit existing SSM configurations to identify and remediate any overly permissive settings.

Suspicious AWS EC2 Key Pair Import Activity

hello@craftedsignal.io — Thu, 19 Dec 2024 00:00:00 +0000

The unauthorized import of SSH key pairs into Amazon Elastic Compute Cloud (EC2) is a technique that malicious actors can leverage to gain unauthorized access to EC2 instances. By importing their own key pairs, attackers can bypass existing security measures and gain persistent access to compromised systems. This activity is often part of a broader attack campaign aimed at compromising sensitive data, disrupting services, or establishing a foothold within an organization’s cloud infrastructure. The initial publication of the detection rule was in December 2024, highlighting the ongoing relevance of this technique in cloud security. Monitoring for this activity can help defenders identify and respond to potential security breaches in a timely manner.

Attack Chain

An attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.
The attacker attempts to enumerate existing EC2 instances to identify potential targets.
The attacker generates or obtains an SSH key pair, which they intend to use for unauthorized access.
The attacker uses the ImportKeyPair API call within the EC2 service to import the generated or obtained SSH key pair.
The attacker modifies the EC2 instance’s configuration to associate the newly imported key pair with the instance. This might involve stopping and restarting the instance.
The attacker uses the imported SSH key pair to gain SSH access to the EC2 instance.
Once inside the instance, the attacker attempts to escalate privileges and move laterally within the AWS environment.
The attacker exfiltrates sensitive data, deploys malware, or disrupts critical services.

Impact

A successful key pair import can lead to complete compromise of the affected EC2 instances, potentially impacting dozens of servers depending on the environment. Sensitive data stored on or accessible from these instances could be exfiltrated, leading to financial loss, reputational damage, and regulatory fines. Furthermore, compromised instances can be used as a launchpad for further attacks within the AWS environment, leading to a wider breach. The financial impact can range from tens of thousands to millions of dollars, depending on the scale of the breach and the sensitivity of the data compromised.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect ImportKeyPair events in CloudTrail logs (logsource: aws, service: cloudtrail).
Review IAM policies to ensure that only authorized users and roles have the necessary permissions to import key pairs (eventSource: ’ec2.amazonaws.com’, eventName: ‘ImportKeyPair’).
Investigate any detected ImportKeyPair events, validating the user identity, user agent, and source IP address to ensure they are expected (detection block).
Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.

Suspicious AWS EC2 Key Pair Creation from Non-Cloud AS

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This alert identifies suspicious activity related to the creation of EC2 key pairs within an AWS environment. Specifically, it focuses on instances where a new IAM principal (user) creates an EC2 key pair from a network source (IP address) whose autonomous system organization is not commonly associated with major cloud providers like Amazon, Google, or Microsoft. Adversaries often create key pairs for persistence or to enable unauthorized access to EC2 instances, potentially leading to data exfiltration or further malicious activities. The rule uses a new terms approach to baseline user activity, reducing noise from repeated actions while still flagging the initial suspicious key pair creation. This activity is flagged as suspicious due to originating from outside trusted ASNs.

Attack Chain

An attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.
The attacker attempts to enumerate existing EC2 instances and associated key pairs.
The attacker uses the CreateKeyPair API call to generate a new SSH key pair within the AWS account. The request originates from a network with an autonomous system organization not attributed to common cloud providers.
The attacker stores the private key material for later use in accessing EC2 instances.
The attacker may then use the new key pair to launch new EC2 instances or import the key to existing instances. This can be done through RunInstances or ImportKeyPair operations.
The attacker uses the new key pair to SSH into the newly created or compromised EC2 instances.
Once inside the instances, the attacker performs malicious activities, such as data exfiltration, lateral movement, or installing malware.

Impact

Successful exploitation can lead to unauthorized access to EC2 instances, potentially compromising sensitive data and disrupting services. A compromised AWS account can allow the attacker to steal data, establish persistence, and move laterally within the cloud environment. The lack of expected cloud provider ASN for the source IP of the CreateKeyPair event raises the risk profile.

Recommendation

Deploy the Sigma rule “AWS EC2 CreateKeyPair from Non-Cloud AS Organization” to your SIEM and tune the source.as.organization.name exclusions based on your environment.
Review AWS CloudTrail logs for any CreateKeyPair events and correlate with other suspicious activity, as mentioned in the investigation steps in this brief.
Implement stricter IAM policies to limit the ability to create key pairs to only authorized users and roles.
Monitor for RunInstances or ImportKeyPair events using the newly created key names as identified from aws.cloudtrail.request_parameters / response_elements.
Enable and review AWS Config rules to detect and remediate misconfigurations related to IAM and EC2 key pair management.

AWS EC2 Stop, Start, and User Data Modification Correlation

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the userData attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.

Attack Chain

An attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).
The attacker identifies a target EC2 instance.
The attacker uses the ModifyInstanceAttribute API call to update the userData attribute of the target instance, injecting malicious code or scripts.
The attacker uses the StopInstances API call to stop the target EC2 instance.
The attacker uses the StartInstances API call to start the target EC2 instance.
Upon instance start, the modified userData script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.
The attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.

Impact

Successful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.

Recommendation

Deploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.
Review CloudTrail logs for ModifyInstanceAttribute events with userData to identify potentially malicious modifications.
Monitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.
Implement least privilege IAM policies to restrict access to EC2 management APIs.
Use AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in userData.
Investigate any alerts generated by the Sigma rules and correlate them with other security events.