-
Author: Elastic
-
Description: This hunting query identifies when a user makes multiple
GetPasswordDatarequests for an EC2 instance. TheGetPasswordDataAPI call retrieves the encrypted administrator password for an instance running Windows. This API call typically only occurs during the initial launch of an instance or when the password is reset. Multiple requests for the same instance may indicate an adversary attempting to escalate privileges or move laterally within the EC2 environment. -
UUID:
408ba5f6-5db7-11ef-a01c-f661ea17fbce -
Integration: aws.cloudtrail
-
Language:
[ES|QL] -
Source File: EC2 Suspicious Get User Password Request
from logs-aws.cloudtrail*
| where @timestamp > now() - 7 day
| where event.provider == "ec2.amazonaws.com" and event.action == "GetPasswordData"
| dissect aws.cloudtrail.request_parameters "{%{?instance_key}=%{instance_id}}"
| stats instance_count = count_distinct(instance_id) by aws.cloudtrail.user_identity.arn
| where instance_count >= 2- Use the
instance_idfield to identify the EC2 instance for which theGetPasswordDatarequests were made - Check for
RunInstancesAPI calls to determine if the instance was recently launched or if the password was reset aws.cloudtrail.error_codecan provide additional context if theGetPasswordDatarequest failed or was denied- Review the
aws.cloudtrail.user_identity*fields to identify the user making the requests and their role permissions - If a valid account compromise is suspected, review source.* fields for the IP address and geographical location of the request and compare with the user's typical behavior
Elastic License v2