Steal EC2 Instance Credentials
MITRE ATT&CK Tactics
- Credential Access
Simulates the theft of EC2 instance credentials from the Instance Metadata Service.
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
- Execute a SSM command on the instance to retrieve temporary credentials
- Use these credentials locally (outside the instance) to run the following commands:
GuardDuty provides two findings to identify stolen EC2 instance credentials.
- InstanceCredentialExfiltration.OutsideAWS identifies EC2 instance credentials used from outside an AWS account.
- InstanceCredentialExfiltration.InsideAWS identifies EC2 instance credentials used from a different AWS account than the one of the EC2 instance.
See also: Known detection bypasses.