Retrieve EC2 Password Data
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Credential Access
Description
Runs ec2:GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances.
See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html
Warm-up:
- Create an IAM role without permissions to run ec2:GetPasswordData
Detonation:
- Assume the role
- Run a number of ec2:GetPasswordData calls (which will be denied) using fictitious instance IDs
Instructions
Detection
Identify principals making a large number of ec2:GetPasswordData calls, using CloudTrail's GetPasswordData event