Detectionhightest

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

falokerCreated Wed Feb 12Updated Tue Jun 071ab3c5ed-5baf-417b-bb6b-78ca33f6c3dfcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        requestParameters.attribute: 'userData'
        eventName: ModifyInstanceAttribute
    condition: selection_source

False Positives

Valid changes to the startup script

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.004 · Unix Shell

Rule Metadata

Rule ID

1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df

Status

test

Level

high

Type

Detection

Created

Wed Feb 12

Modified

Tue Jun 07

Author

faloker

Path

rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml

Raw Tags

attack.executionattack.t1059.001attack.t1059.003attack.t1059.004

View on GitHub