Skip to content

Execute Discovery Commands on an EC2 Instance

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Discovery

Description

Runs several discovery commands on an EC2 instance:

  • sts:GetCallerIdentity
  • s3:ListBuckets
  • iam:GetAccountSummary
  • iam:ListRoles
  • iam:ListUsers
  • iam:GetAccountAuthorizationDetails
  • ec2:DescribeSnapshots
  • cloudtrail:DescribeTrails
  • guardduty:ListDetectors

The commands will be run under the identity of the EC2 instance role, simulating an attacker having compromised an EC2 instance and running discovery commands on it.

Warm-up:

  • Create the prerequisite EC2 instance and VPC (takes a few minutes).

Detonation:

  • Run the discovery commands, over SSM. The commands will be run under the identity of the EC2 instance role.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.discovery.ec2-enumerate-from-instance

Detection

Identify when an EC2 instance performs unusual enumeration calls.

An action can be determined to have been performed by an EC2 instance under its instance role when the attribute userIdentity.arn of a CloudTrail event ends with i-*, for instance:

arn:aws:sts::012345678901:assumed-role/my-instance-role/i-0adc17a5acb70d9ae