a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services

t1078
t1078.002
aws
sigma

Techniques

t1078
t1078.002

Sample rules

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

source: sigma
technicques:
- t1078
- t1078.002

Description

Detects when an instance identity has taken an action that isn’t inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
- eventSource: ssm.amazonaws.com
- eventName: RegisterManagedInstance
- sourceIPAddress: AWS Internal
selection:
  userIdentity.arn|re: .+:assumed-role/aws:.+