Download EC2 Instance User Data

idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Discovery

Description

Runs ec2:DescribeInstanceAttribute on several instances. This simulates an attacker attempting to retrieve Instance User Data that may include installation scripts and hard-coded secrets for deployment.

See:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
• https://hackingthe.cloud/aws/general-knowledge/introduction_user_data/
• https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py

Warm-up:

• Create an IAM role without permissions to run ec2:DescribeInstanceAttribute

Detonation:

• Run ec2:DescribeInstanceAttribute on multiple fictitious instance IDs
• These calls will result in access denied errors

Instructions

Detonate with Stratus Red Team

stratus detonate aws.discovery.ec2-download-user-data

Detection

Through CloudTrail's DescribeInstanceAttribute event.

See:

• Associated Sigma rule