Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
jamesc-grafanaCreated Thu Jul 11352a918a-34d8-4882-8470-44830c507aa3cloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        userIdentity.arn|re: '.+:assumed-role/aws:.+'
    filter_main_generic:
        - eventSource: 'ssm.amazonaws.com'
        - eventName: 'RegisterManagedInstance'
        - sourceIPAddress: 'AWS Internal'
    condition: selection and not 1 of filter_main_*
False Positives

A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services

References
1
Resolving title…
docs.aws.amazon.com
2
Resolving title…
ermetic.com
3
Resolving title…
packetmischief.ca
MITRE ATT&CK
Rule Metadata
Rule ID
352a918a-34d8-4882-8470-44830c507aa3
Status
test
Level
high
Type
Detection
Created
Thu Jul 11
Author
jamesc-grafana
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.initial-accessattack.persistenceattack.t1078attack.t1078.002
View on GitHub