| title |
|---|
Execute Discovery Commands on an EC2 Instance |
slow idempotent
Platform: AWS
- Discovery
Runs several discovery commands on an EC2 instance:
- sts:GetCallerIdentity
- s3:ListBuckets
- iam:GetAccountSummary
- iam:ListRoles
- iam:ListUsers
- iam:GetAccountAuthorizationDetails
- ec2:DescribeSnapshots
- cloudtrail:DescribeTrails
- guardduty:ListDetectors
The commands will be run under the identity of the EC2 instance role, simulating an attacker having compromised an EC2 instance and running discovery commands on it.
Warm-up:
- Create the prerequisite EC2 instance and VPC (takes a few minutes).
Detonation:
- Run the discovery commands, over SSM. The commands will be run under the identity of the EC2 instance role.
stratus detonate aws.discovery.ec2-enumerate-from-instanceIdentify when an EC2 instance performs unusual enumeration calls.
An action can be determined to have been performed by an EC2 instance under its instance role when the attribute
userIdentity.arn of a CloudTrail event ends with i-*, for instance:
arn:aws:sts::012345678901:assumed-role/my-instance-role/i-0adc17a5acb70d9ae