Skip to main content

Modification of multiple EC2 instance startup scripts

ID:aws_ec2_startup_script_modify_volume
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0004:T1037

Description

AlphaSOC detected a modification to an Elastic Compute Cloud (EC2) instance startup script. This action alters the initialization process of an EC2 instance, potentially allowing unauthorized code execution upon instance launch. This technique can be used by threat actors to maintain access across instance restarts or deployments. Actions initiated by AWS services are exempt from the detection to avoid false positives.

Impact

Threat actors can modify EC2 startup scripts to establish persistence, escalate privileges, or automatically execute malicious code when the instance starts. This can lead to data theft, further system compromise, lateral movement within the cloud environment, and potential service disruption. The impact can extend beyond a single instance if the modified script is propagated to other instances or snapshots.

Severity

SeverityCondition
Informational
A startup script modification
Low
Multiple startup script modifications

Investigation and Remediation

Compare the current script to previous versions to identify any alterations. Review AWS CloudTrail logs to identify the user or role that made the change. If unauthorized, revert the script to a known good state and rotate any exposed credentials. Scan the instance for signs of compromise, and consider terminating and replacing the instance if malicious activity is confirmed.

Known False Positives

  • Legitimate system administrators updating startup scripts for maintenance or feature implementation
  • Development or testing activities involving temporary script modifications in non-production environments