LoFP / administrators may use ec2 instances to interact with iam services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.

Techniques

• T1078
• T1098

Sample rules

AWS EC2 Instance Interaction with IAM Service

• source: elastic
• technicques:
  • T1078
  • T1098

Description

Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern “i-” which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.

Detection logic

any where event.dataset == "aws.cloudtrail"
    and event.provider == "iam.amazonaws.com"
    and aws.cloudtrail.user_identity.type == "AssumedRole"
    and stringContains(user.id, ":i-")
    and (
            startsWith(event.action, "Update")
            or startsWith(event.action, "Attach")
            or startsWith(event.action, "Detach")
            or startsWith(event.action, "Create")
            or startsWith(event.action, "Delete")
            or startsWith(event.action, "Add")
            or startsWith(event.action, "Remove")
            or startsWith(event.action, "Put")
            or startsWith(event.action, "Tag")
    )