Skip to content

Execute Commands on EC2 Instance via User Data

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Execution
  • Privilege Escalation

Description

Executes code on a Linux EC2 instance through User Data.

References:

Warm-up:

  • Create the prerequisite EC2 instance and VPC (takes a few minutes).

Detonation:

  • Stop the instance
  • Use ModifyInstanceAttribute to inject a malicious script in user data
  • Start the instance
  • Upon starting, the malicious script in user data is automatically executed as the root user

Instructions

Detonate with Stratus Red Team
stratus detonate aws.execution.ec2-user-data

Detection

Identify when the following sequence of CloudTrail events occur in a short period of time (e.g., < 1 hour)

  1. StopInstances (necessary, because the user data of an instance cannot be changed when it's running)
  2. ModifyInstanceAttribute with requestParameters.userData non-empty

When not possible to perform such correlation, alerting on the second event only is an option. It's generally not expected that the user data of an EC2 instance changes often, especially with the popularity of immutable machine images, provisioned before instantiation.