EC2 Startup Shell Script Changed

Back


Id	f8577e4d-8481-437b-a94e-06f615985668
Rulename	EC2 Startup Shell Script Changed
Description	Detects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py
Severity	Medium
Tactics	Execution
Techniques	T1059
Required data connectors	AWS
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
Version	1.0.0
Arm template	f8577e4d-8481-437b-a94e-06f615985668.json

KQL

AWSCloudTrail
| where EventName == "ModifyInstanceAttribute" or EventName == "CreateLaunchTemplate"
| where RequestParameters contains "userData"
| extend userData_ = tostring(parse_json(RequestParameters).userData)
| extend instanceId_ = tostring(parse_json(RequestParameters).instanceId)
| project-away  SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

YAML

triggerOperator: gt
description: |
    'Detects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py'
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
tactics:
- Execution
relevantTechniques:
- T1059
query: |
  AWSCloudTrail
  | where EventName == "ModifyInstanceAttribute" or EventName == "CreateLaunchTemplate"
  | where RequestParameters contains "userData"
  | extend userData_ = tostring(parse_json(RequestParameters).userData)
  | extend instanceId_ = tostring(parse_json(RequestParameters).instanceId)
  | project-away  SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
id: f8577e4d-8481-437b-a94e-06f615985668
status: Available
severity: Medium
name: EC2 Startup Shell Script Changed
version: 1.0.0
queryFrequency: 15m
queryPeriod: 15m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8577e4d-8481-437b-a94e-06f615985668')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8577e4d-8481-437b-a94e-06f615985668')]",
      "properties": {
        "alertRuleTemplateName": "f8577e4d-8481-437b-a94e-06f615985668",
        "customDetails": null,
        "description": "'Detects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py'\n",
        "displayName": "EC2 Startup Shell Script Changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml",
        "query": "AWSCloudTrail\n| where EventName == \"ModifyInstanceAttribute\" or EventName == \"CreateLaunchTemplate\"\n| where RequestParameters contains \"userData\"\n| extend userData_ = tostring(parse_json(RequestParameters).userData)\n| extend instanceId_ = tostring(parse_json(RequestParameters).instanceId)\n| project-away  SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}