"EC2 user data" allows to automatically run commands when an EC2 instance start. An attacker with sufficient permissions can overwrite the user data of an EC2 instance to have it execute malicious commands and escalate their privileges.
When an attacker manages to execute malicious commands on an EC2 virtual machine, they can access sensitive data and run ransomware or other extortion attacks.
An attacker first needs to stop the EC2 instance, then modify its user data. After that, the malicious commands are executed the next time the instance starts.
You can identify when an EC2 instance is stopped and its user data changed using the following CloudTrail events:
StopInstances. Note that the user data of an EC2 instance cannot be changed while it is running.
ModifyInstanceAttribute, when the field
requestParameters.userDatais not empty.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.execution.ec2-user-data
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Possible AWS EC2 privilege escalation via the modification of user data".
Stratus Red Team - Execute Commands on EC2 Instance via User Data
Local Privilege Escalation: User Data
Run commands on your Linux instance at launch