Techniques
Sample rules
AWS Credential Access GetPasswordData
- source: splunk
- technicques:
- T1586
- T1586.003
- T1110
- T1110.001
Description
This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance.
Detection logic
`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com
| bin _time span=5m
| stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time
| where distinct_instance_ids > 10
| `aws_credential_access_getpassworddata_filter`