Techniques
Sample rules
AWS ECS Task Definition That Queries The Credential Endpoint
- source: sigma
- technicques:
- t1525
Description
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
Detection logic
condition: selection
selection:
eventName:
- DescribeTaskDefinition
- RegisterTaskDefinition
- RunTask
eventSource: ecs.amazonaws.com
requestParameters.containerDefinitions.command|contains: $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI