Steal EC2 Instance Credentials

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Credential Access

Description

Simulates the theft of EC2 instance credentials from the Instance Metadata Service.

Warm-up:

• Create the prerequisite EC2 instance and VPC (takes a few minutes).

Detonation:

• Execute a SSM command on the instance to retrieve temporary credentials
• Use these credentials locally (outside the instance) to run the following commands:
  • sts:GetCallerIdentity
  • ec2:DescribeInstances

Instructions

Detonate with Stratus Red Team

stratus detonate aws.credential-access.ec2-steal-instance-credentials

Detection

GuardDuty provides two findings to identify stolen EC2 instance credentials.

• InstanceCredentialExfiltration.OutsideAWS identifies EC2 instance credentials used from outside an AWS account.
• InstanceCredentialExfiltration.InsideAWS identifies EC2 instance credentials used from a different AWS account than the one of the EC2 instance.

See also: Known detection bypasses.