Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Rule Info

Name
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Author
jamesc-grafana
Description
Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
Reference
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
Date
2024-07-11 00:00:00
Modified
None
Id
352a918a-34d8-4882-8470-44830c507aa3
Tags
attack.privilege-escalation attack.defense-evasion attack.t1078 attack.t1078.002 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=352a918a-34d8-4882-8470-44830c507aa3

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
James C
Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules
2024-07-11
f95d5397b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022