Detectionmediumtest

AWS ECS Task Definition That Queries The Credential Endpoint

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Darin SmithCreated Tue Jun 07Updated Mon Apr 24b94bf91e-c2bf-4047-9c43-c6810f43baadcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'ecs.amazonaws.com'
        eventName:
            - 'DescribeTaskDefinition'
            - 'RegisterTaskDefinition'
            - 'RunTask'
        requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
    condition: selection