ModifyInstanceAttribute
AWS
ModifyInstanceAttribute
Event
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
Security Context
- Command execution capabilities can be leveraged by adversaries to run arbitrary scripts and tools within the cloud environment.
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial — execution. Draco modifies the user-data of i-0occamy0000000001 (the OCCAMY pipeline EC2 he previously stole credentials from) to inject a bash payload that adds his SSH key to authorized_keys and runs a reverse shell. The instance was already stopped (a prerequisite — userData cannot be modified while running); next he’ll call StartInstances to trigger execution. T1685 + T1059.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:48:51Z", "eventSource": "ec2.amazonaws.com", "eventName": "ModifyInstanceAttribute", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "instanceId": "i-0occamy0000000001", "userData": { "value": "<sensitiveDataRemoved>" } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000101010110", "_return": true }, "requestID": "90000000-0000-4000-8000-000101010110", "eventID": "90000000-0000-4000-8000-000101010111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Execution
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...