Skip to main content

Enumeration of EC2 instance startup scripts

ID:aws_ec2_startup_script_enumeration
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected an enumeration of Elastic Compute Cloud (EC2) instance startup scripts. This activity involves attempts to systematically gather information about AWS resources, configurations, or services in an account, or to access or retrieve the user data scripts associated with EC2 instances. Startup scripts often contain sensitive information such as credentials, configuration details, or other valuable data that can be targeted by threat actors. Actions initiated by AWS services and known security tools are exempt from the detection to avoid false positives.

Impact

Successful enumeration of EC2 instance startup scripts can provide threat actors with critical information about the infrastructure, potentially leading to unauthorized access, data leakage, or further compromise. Threat actors can use the information gained to tailor their attacks, move laterally within the environment, or escalate privileges.

Severity

SeverityCondition
Informational
Excessive enumeration attempts of EC2 instance startup scripts

Investigation and Remediation

Investigate the source and scope of the enumeration activity. Review logs to identify the specific EC2 instances targeted and the origin of the requests. Verify if any sensitive information was exposed in the startup scripts. If unauthorized access is confirmed, rotate any compromised credentials, update affected configurations, and patch vulnerabilities.

Known False Positives

  • Legitimate system administrators accessing different startup scripts on different instances for troubleshooting or maintenance purposes