AWS EC2 Windows Adminstrator encrypted password fetch attempt
Description
AlphaSOC detected an unsuccessful attempt to retrieve an encrypted Windows
Administrator password from an AWS Elastic Compute Cloud (EC2) instance through
the GetPasswordData action. This behavior often signals unauthorized access
attempts or credential harvesting by threat actors seeking control over EC2
instances. To reduce false positives, the detection excludes both AWS
service-initiated actions and authorized successful requests.
Impact
Unauthorized access to EC2 administrator passwords could lead to complete compromise of cloud instances, potentially exposing sensitive data and allowing attackers to pivot through the AWS infrastructure. This access could result in service disruption, data theft, or the deployment of malicious workloads, ultimately threatening the organization's cloud environment security posture.
Severity
| Severity | Condition |
|---|---|
Informational | Unauthorized GetPasswordData invocation |
Low | Unauthorized GetPasswordData invocation from an unexpected AWS region or client IP |
Investigation and Remediation
Investigate the origin and context of the password retrieval attempt. Verify if it was initiated by authorized personnel for legitimate purposes. If unauthorized, immediately rotate the EC2 instance's credentials, review access logs, and scan for any signs of compromise.
Known False Positives
- Password retrieval attempts during instance recovery or troubleshooting procedures