Unexpected AWS EC2 Windows Adminstrator encrypted password enumeration
Description
AlphaSOC detected attempts to retrieve encrypted Windows administrator passwords from AWS EC2 instances, which may indicate unauthorized attempt to collect administrator credentials.
Impact
Access to Windows administrator passwords enables threat actors to gain full control over EC2 instances, access sensitive data, modify system configurations, and establish persistence. Compromised credentials can lead to resource exploitation, data breaches, and lateral movement across the infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | Excessive encrypted password enumeration attempts |
Medium | Suspicious excessive enumeration attempts |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source IP address, IAM user, and
targeted instances. Check IAM policies and roles for unnecessary GetPasswordData
permissions. If unauthorized access is confirmed, rotate instance passwords, update
key pairs, and review security group configurations.