IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Attempt to Retrieve User Data from AWS EC2 Instance
editAttempt to Retrieve User Data from AWS EC2 Instance
editIdentifies discovery request DescribeInstanceAttribute
with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that does not generate an alert on its own, but serves as a signal for anomalous activity.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: Amazon EC2
- Use Case: Log Auditing
- Tactic: Discovery
- Rule Type: BBR
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset:aws.cloudtrail and event.action:DescribeInstanceAttribute and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Cloud Infrastructure Discovery
- ID: T1580
- Reference URL: https://attack.mitre.org/techniques/T1580/