LoFP / valid changes to the startup script

Techniques

• t1059
• t1059.001
• t1059.003
• t1059.004

Sample rules

AWS EC2 Startup Shell Script Change

• source: sigma
• technicques:
  • t1059
  • t1059.001
  • t1059.003
  • t1059.004

Description

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Detection logic

condition: selection_source
selection_source:
  eventName: ModifyInstanceAttribute
  eventSource: ec2.amazonaws.com
  requestParameters.attribute: userData