ModifyInstanceAttribute
Event
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
Security Context
- Command execution capabilities can be leveraged by adversaries to run arbitrary scripts and tools within the cloud environment.
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion Execution
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.