Execute Commands on EC2 Instance via User Data
MITRE ATT&CK Tactics
- Privilege Escalation
Executes code on a Linux EC2 instance through User Data.
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
- Stop the instance
- Use ModifyInstanceAttribute to inject a malicious script in user data
- Start the instance
- Upon starting, the malicious script in user data is automatically executed as the root user
Identify when the following sequence of CloudTrail events occur in a short period of time (e.g., < 1 hour)
StopInstances(necessary, because the user data of an instance cannot be changed when it's running)
When not possible to perform such correlation, alerting on the second event only is an option. It's generally not expected that the user data of an EC2 instance changes often, especially with the popularity of immutable machine images, provisioned before instantiation.