{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user-data/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["EC2"],"_cs_severities":["high"],"_cs_tags":["aws","ec2","user-data","privilege-escalation","persistence","execution"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies a specific sequence of AWS EC2 API calls suggesting malicious intent. An adversary may update the \u003ccode\u003euserData\u003c/code\u003e attribute of an EC2 instance and then restart the instance to execute malicious scripts with elevated privileges (root on Linux, SYSTEM on Windows). The technique involves modifying instance attributes to inject malicious code or scripts, followed by stopping and starting the instance to trigger execution of the modified user data. This can lead to privilege escalation, persistence, or other malicious activities within the AWS environment. The detection focuses on the correlation of \u003ccode\u003eStopInstances\u003c/code\u003e, \u003ccode\u003eStartInstances\u003c/code\u003e, and \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events that reference \u003ccode\u003euserData\u003c/code\u003e within a 5-minute window. The rule groups these events by instance ID, username, account ID, source IP, and user agent, triggering an alert only when all three distinct API calls are observed within the same group. This aims to reduce false positives by requiring the complete sequence of actions associated with this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account with sufficient permissions to manage EC2 instances (e.g., via compromised credentials or an IAM role).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e API call to update the \u003ccode\u003euserData\u003c/code\u003e attribute of the target instance, injecting malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStopInstances\u003c/code\u003e API call to stop the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eStartInstances\u003c/code\u003e API call to start the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eUpon instance start, the modified \u003ccode\u003euserData\u003c/code\u003e script executes with elevated privileges, potentially installing malware, establishing persistence, or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised instance to further explore the AWS environment, escalate privileges, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution within the AWS environment. Attackers can gain elevated privileges on the compromised EC2 instance, potentially leading to full control of the instance and the ability to access sensitive data or resources within the AWS account. This can result in data breaches, service disruptions, and financial losses. The modification of user data allows for persistent malicious code execution each time the instance restarts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rules to your SIEM to detect the described attack pattern, and tune them to your environment.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for \u003ccode\u003eModifyInstanceAttribute\u003c/code\u003e events with \u003ccode\u003euserData\u003c/code\u003e to identify potentially malicious modifications.\u003c/li\u003e\n\u003cli\u003eMonitor EC2 instance state transitions (stop/start) in conjunction with user data modifications.\u003c/li\u003e\n\u003cli\u003eImplement least privilege IAM policies to restrict access to EC2 management APIs.\u003c/li\u003e\n\u003cli\u003eUse AWS Secrets Manager or Parameter Store to manage secrets instead of embedding them in \u003ccode\u003euserData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and correlate them with other security events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-ec2-user-data-modification/","summary":"Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.","title":"AWS EC2 Stop, Start, and User Data Modification Correlation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-user-data-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — User-Data","version":"https://jsonfeed.org/version/1.1"}