Rules Contributing to Suspicious AWS EC2 Activity Alert

The following rules are used to identify suspicious activity within AWS EC2 logs. Any one or more of these will trigger Suspicious AWS EC2 Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

AWS EC2 Network Access Control List Creation

Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.

AWS EC2 Network Access Control List Deletion

Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.

AWS EC2 Snapshot Activity

An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.

AWS EC2 VM Export Failure

Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.

AWS EC2 Full Network Packet Capture Detected

Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.

AWS EC2 Encryption Disabled

Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.

EC2 Snapshot Attribute Modification

The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified.

AWS EC2 Security Group Deleted

An EC2 security group has been deleted.

AWS EC2 Security Group Modified

An EC2 security group has been modified.

AWS EC2 Security Group Created

An EC2 security group has been created.

AWS Credential Access GetPasswordData

This detection analytic identifies GetPasswordData API call made to your AWS account. Attackers can retrieve the encrypted administrator password for a running Windows instance.

AWS VPC Network ACL Modified

The ACL for a VPC has been modified.