Execute Discovery Commands on an EC2 Instance
MITRE ATT&CK Tactics
Runs several discovery commands on an EC2 instance:
The commands will be run under the identity of the EC2 instance role, simulating an attacker having compromised an EC2 instance and running discovery commands on it.
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
- Run the discovery commands, over SSM. The commands will be run under the identity of the EC2 instance role.
Identify when an EC2 instance performs unusual enumeration calls.
An action can be determined to have been performed by an EC2 instance under its instance role when the attribute
userIdentity.arn of a CloudTrail event ends with
i-*, for instance: