You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml
+23-7Lines changed: 23 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,17 @@
1
1
[metadata]
2
+
bypass_bbr_timing = true
2
3
creation_date = "2024/07/24"
3
4
integration = ["aws"]
4
5
maturity = "production"
5
-
updated_date = "2024/07/24"
6
+
updated_date = "2024/11/05"
6
7
7
8
[rule]
8
9
author = ["Elastic"]
10
+
building_block_type = "default"
9
11
description = """
10
12
Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance.
13
+
14
+
This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.
11
15
"""
12
16
false_positives = ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."]
13
17
from = "now-6m"
@@ -18,9 +22,9 @@ name = "AWS EC2 Instance Interaction with IAM Service"
0 commit comments