AWS Steal EC2 Instance Credentials
MITRE ATT&CK Tactics
- Credential Access
Simulates the theft of EC2 instance credentials from the Instance Metadata Service and the use of the stolen credentials outside AWS IP space.
- Attempts to SSM into EC2 instance with defined user. Once credentials are retrieved, the workflow then calls the API 'DescribeInstances' with the EC2 instance profile credentials from the proxy-app in Google CLoud (outside AWS IP space).
- Resulting event name:
- Assigned IAM Permission:
Specify which user this attack should run as.
- See User Guide for Execution Instructions via the Google Cloud Console
- Programmatically execute this workflow with the following cli command:
GuardDuty provides two findings to identify stolen EC2 instance credentials.
- identifies EC2 instance credentials used from outside an AWS account.
- identifies EC2 instance credentials used from a different AWS account than the one of the EC2 instance.