Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Rule Info

Name
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Author
jamesc-grafana
Description
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
Date
2024-07-11 00:00:00
Modified
None
Id
352a918a-34d8-4882-8470-44830c507aa3
Tags
attack.privilege-escalation attack.defense-evasion attack.t1078 attack.t1078.002 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
James C
Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules
2024-07-11