Skip to content

GetPasswordData

AWS

GetPasswordData

service: AWS - EC2
techniques:

Event

Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.

Security Context

  • Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.

Log Source

CloudTrail

Sample Event

Adversarial — credential access. Draco enumerates Windows EC2 instances after pivoting and calls GetPasswordData against i-0phoenix000000010 (a Windows-based PHOENIX backup orchestrator). The encrypted blob can be decrypted offline if the launch SSH/PEM key is also stolen — Draco harvested key material from the BOWTRUCKLE secrets store earlier (see aws-getparameters). T1552 + T1555.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco"
},
"eventTime": "2026-04-15T21:48:31Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "GetPasswordData",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"instanceId": "i-0phoenix000000010"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000101000010",
"eventID": "90000000-0000-4000-8000-000101000011",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Credential Access

Techniques:
  • T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
  • T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...