LoFP LoFP / administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.

Techniques

Sample rules

AWS Credential Access GetPasswordData

Description

The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.

Detection logic

`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com 
|  bin _time span=5m 
|  stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time 
|  where distinct_instance_ids > 10 
| `aws_credential_access_getpassworddata_filter`