GetPasswordData
Event
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
Security Context
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.