Execute Commands on EC2 Instance via User Data
slow idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Execution
- Privilege Escalation
Description
Executes code on a Linux EC2 instance through User Data.
References:
- https://hackingthe.cloud/aws/exploitation/local-priv-esc-mod-instance-att/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html
Warm-up:
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
Detonation:
- Stop the instance
- Use ModifyInstanceAttribute to inject a malicious script in user data
- Start the instance
- Upon starting, the malicious script in user data is automatically executed as the root user
Instructions
Detection
Identify when the following sequence of CloudTrail events occur in a short period of time (e.g., < 1 hour)
StopInstances
(necessary, because the user data of an instance cannot be changed when it's running)ModifyInstanceAttribute
withrequestParameters.userData
non-empty
When not possible to perform such correlation, alerting on the second event only is an option. It's generally not expected that the user data of an EC2 instance changes often, especially with the popularity of immutable machine images, provisioned before instantiation.