-
Notifications
You must be signed in to change notification settings - Fork 521
/
Copy pathec2_modify_instance_attribute_user_data.toml
27 lines (27 loc) · 1.64 KB
/
ec2_modify_instance_attribute_user_data.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[hunt]
author = "Elastic"
description = """
This hunting query identifies when a user modifies the user data attribute of an EC2 instance. The user data attribute is a script that runs when the instance is launched. Modifying the user data attribute could indicate an adversary attempting to gain persistence or execute malicious code on the instance.
"""
integration = ["aws.cloudtrail"]
uuid = "f11ac62c-5f42-11ef-9d72-f661ea17fbce"
name = "EC2 Modify Instance Attribute User Data"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Use the `instance_id` field to identify the EC2 instance for which the user data attribute was modified",
"Pivot into the EC2 instance if possible and examine the user data script ('/var/lib/cloud/instance/scripts/userdata.txt') for malicious content",
"To modify an EC2 instance's user data attribute, the instance must be stopped, therefore check for `StopInstances` API calls in `event.action` field to determine if the instance was stopped and started",
"AWS redacts the value of the `user_data` attribute in the CloudTrail logs, so the actual script content will not be visible in the logs",
]
mitre = ['T1059.009','T1037']
query = ['''
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where
event.provider == "ec2.amazonaws.com"
and event.action == "ModifyInstanceAttribute"
and aws.cloudtrail.request_parameters RLIKE ".*attribute=userData.*"
| dissect aws.cloudtrail.request_parameters "{%{instance_id_key}=%{instance_id}, %{attribute_key}=%{attribute}, %{value_key}=%{value}}"
| stats user_attribute_modify_count = count(*) by aws.cloudtrail.user_identity.arn, event.outcome
''']