GetPasswordData
AWS
GetPasswordData
Event
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
Security Context
- Accessing stored credentials or secrets can provide adversaries with keys to additional systems, enabling lateral movement and privilege escalation.
Log Source
CloudTrail
Sample Event
Adversarial — credential access. Draco enumerates Windows EC2 instances after pivoting and calls GetPasswordData against i-0phoenix000000010 (a Windows-based PHOENIX backup orchestrator). The encrypted blob can be decrypted offline if the launch SSH/PEM key is also stolen — Draco harvested key material from the BOWTRUCKLE secrets store earlier (see aws-getparameters). T1552 + T1555.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco" }, "eventTime": "2026-04-15T21:48:31Z", "eventSource": "ec2.amazonaws.com", "eventName": "GetPasswordData", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "instanceId": "i-0phoenix000000010" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000101000010", "eventID": "90000000-0000-4000-8000-000101000011", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Credential Access
Techniques:
- T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Shell History](https://attack.mitre.org/techniques/T1552/003)), operating system or applica...
- T1555 — Credentials from Password Stores — Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make the...