Modification of multiple EC2 instance startup scripts
Description
AlphaSOC detected a modification to an Elastic Compute Cloud (EC2) instance startup script. This action alters the initialization process of an EC2 instance, potentially allowing unauthorized code execution upon instance launch. This technique can be used by threat actors to maintain access across instance restarts or deployments. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
Threat actors can modify EC2 startup scripts to establish persistence, escalate privileges, or automatically execute malicious code when the instance starts. This can lead to data theft, further system compromise, lateral movement within the cloud environment, and potential service disruption. The impact can extend beyond a single instance if the modified script is propagated to other instances or snapshots.
Severity
Severity | Condition |
---|---|
Informational | A startup script modification |
Low | Multiple startup script modifications |
Investigation and Remediation
Compare the current script to previous versions to identify any alterations. Review AWS CloudTrail logs to identify the user or role that made the change. If unauthorized, revert the script to a known good state and rotate any exposed credentials. Scan the instance for signs of compromise, and consider terminating and replacing the instance if malicious activity is confirmed.
Known False Positives
- Legitimate system administrators updating startup scripts for maintenance or feature implementation
- Development or testing activities involving temporary script modifications in non-production environments