Add An Existing Role To A New Ec2 Instance (aws)
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2024-12-02 |
An adversary may attach an existing role to a new EC2 instance to which they have access
MITRE IDs
Required Permissions
- iam:PassRole
- ec2:RunInstances
Required Parameters
| Name | Type | Description | Example Value |
|---|---|---|---|
| image_id | str | AMI to create instance from | ami-a4dc46db |
| instance_type | str | Type of instance to create | t2.micro |
| iam_instance_profile_name | str | EC2 instance profile to assign | ec2-instance-profile |
| key_name | str | Name of SSH key to assign to instance | my-ssh-key |
| security_group_id | str | ID of a security group to apply to the instance | sg-123456 |
Attacker Action
aws ec2 run-instances –image-id image_id –instance-type instance_type –iam-instance-profile Name=iam_instance_profile_name –key-name key_name –security-group-ids security_group_idsDetection Case
ELK query
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:RunInstances AND eventSource:ec2.amazonaws.comSigma Definition
---title: Add an existing role to a new EC2 instanceid: 899eb2b1-6e96-4203-bd38-9cddf970a50astatus: experimentalauthor: Nick Jonesdate: 2024-12-02description: An adversary may attach an existing role to a new EC2 instance to which they have accesslogsource: service: cloudtraildetection: selection_source: - eventSource: "ec2.amazonaws.com" events: - eventName: "RunInstances" condition: selection_source and eventslevel: lowtags: - attack.T1098
falsepositives: - Developers making legitimate changes to the environment. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.