Usage of EC2 Instance Connect on multiple instances

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Lateral Movement

Description

Simulates an attacker pushing an SSH public key to multiple EC2 instances, which then will allow anyone with the corresponding private key to connect directly to the systems via SSH.

Warm-up:

• Create multiple EC2 instances and a VPC (takes a few minutes).

Detonation:

• Adds a public SSH key to the EC2 for 60 seconds.

References:

• https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins
• https://sysdig.com/blog/2023-global-cloud-threat-report/
• https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.lateral-movement.ec2-instance-connect

Detection

Identify, through CloudTrail's SendSSHPublicKey event, when a user is adding an SSH key to multiple EC2 instances. Sample event:

{
  "eventSource": "ec2-instance-connect.amazonaws.com",
  "eventName": "SendSSHPublicKey",
  "requestParameters": {
    "instanceId": "i-123456",
    "instanceOSUser": "ec2-user",
    "sSHPublicKey": "ssh-ed25519 ..."
  }
}