administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.

t1110
t1110.001
t1586
t1586.003
aws account
splunk

Techniques

T1110
T1110.001
T1586
T1586.003

Sample rules

AWS Credential Access GetPasswordData

source: splunk
technicques:
- T1586
- T1586.003
- T1110
- T1110.001

Description

This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance.

Detection logic

`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com 
|  bin _time span=5m 
|  stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time 
|  where distinct_instance_ids > 10 
| `aws_credential_access_getpassworddata_filter`