{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/userdata/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2","IAM"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","ec2","userdata","discovery","credential-access"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies attempts to retrieve EC2 instance user data within AWS environments. The rule specifically focuses on the \u003ccode\u003eDescribeInstanceAttribute\u003c/code\u003e API call, used to query the \u003ccode\u003euserData\u003c/code\u003e attribute of an EC2 instance. This attribute, intended for instance initialization scripts, may inadvertently contain sensitive information such as hardcoded credentials, API keys, or other configuration details. An adversary gaining access to this information could leverage it for lateral movement, privilege escalation, or data exfiltration. The rule uses AWS CloudTrail logs to monitor for this specific API call and aims to detect unusual or unauthorized access to EC2 instance user data. The rule is designed to trigger the first time an IAM user or role requests the user data for a specific EC2 instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to discover EC2 instances within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDescribeInstanceAttribute\u003c/code\u003e API call with the \u003ccode\u003euserData\u003c/code\u003e attribute specified.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the user data from the API response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the user data for sensitive information like hardcoded credentials, API keys, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the discovered credentials or configuration to gain access to other AWS resources or services.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by assuming roles or creating new IAM users with elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts services within the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the exposure of sensitive data, including credentials and API keys, potentially granting unauthorized access to critical AWS resources and services. This could result in data breaches, service disruption, and financial loss. The impact extends to any application or service relying on the exposed credentials. The number of affected instances depends on the scope of the attacker's access and the sensitivity of the data stored within the \u003ccode\u003euserData\u003c/code\u003e attribute.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect unauthorized attempts to retrieve EC2 user data.\u003c/li\u003e\n\u003cli\u003eReview IAM policies and restrict access to the \u003ccode\u003eDescribeInstanceAttribute\u003c/code\u003e API call to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eAvoid storing sensitive information directly in EC2 user data; instead, use AWS Secrets Manager or Parameter Store.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious API activity, including unusual patterns of \u003ccode\u003eDescribeInstanceAttribute\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations in the \u0026quot;Response and Remediation\u0026quot; section of the provided documentation for handling detected instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-14T00:00:00Z","date_published":"2024-04-14T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-04-aws-ec2-user-data-retrieval/","summary":"Detection of the AWS EC2 DescribeInstanceAttribute API call to retrieve the userData attribute, potentially exposing sensitive information like credentials or configuration details.","title":"AWS EC2 User Data Retrieval for EC2 Instance","url":"https://feed.craftedsignal.io/briefs/2024-04-aws-ec2-user-data-retrieval/"}],"language":"en","title":"CraftedSignal Threat Feed - Userdata","version":"https://jsonfeed.org/version/1.1"}