Cloud Threat Hunting: Attack & Investigation Series – Privilege Escalation via EC2

By, Maya Levine, Technical Marketing Engineer

Lior Sonntag, Security Analyst

Cloud breaches are becoming increasingly prevalent in this modern digital era. One of the more dangerous strategies attackers deploy during a cloud breach is Privilege escalation. They use this to move laterally within a cloud environment and access sensitive assets.

This blog, the first of the Cloud Threat Hunting: Attack & Investigation Series, reviews an attack scenario that utilizes launching an EC2 instance without a key pair.

Watch this video for an in depth overview of the attack and investigation:


In this attack, the attacker was able to log into the console using a low privilege user’s credentials. The attacker could have obtained these credentials in many ways: brute force, phishing, purchasing stolen credentials on the dark web, and more. However, once they obtained the credentials, it gave them access to the AWS console with no programmatic permissions. Given that the stolen permissions of this user are not excessive, the attacker will attempt to escalate to a higher permission that has access to sensitive assets.

This attacker will look at Amazon Machine Images (AMI) – a template which allows you to launch an instance and contains a software configuration (such as operating system, application server, and applications). They will choose to launch the AMI most likely to have access to a database.

Since the attacker will not have access to existing key pairs, and creating a new one could alert their presence in the account, they will launch this AMI without a key pair. This is not common behavior for most organizations and not best practice.

Another attack vector that can jeopardize the account is allowing users to pass User Data to the instance. This is used to perform common automated configuration tasks. However, it is also used to run scripts after the instance starts, which attackers will maximize. In this attack, the attacker uploads a file with payload scripts that creates a reverse shell to the attacker’s machine once the instance is spun-up.

From here, escalating privileges is simply a matter of finding the right files that contain the credentials to access the database. Once the attacker logs into the database, they will search for sensitive content to exfiltrate.


The key first step to investigating an attack like this is a real-time, relevant, alert. Alert fatigue is a serious problem for those tasked with analyzing and identifying potential breaches within a cloud environment, after all, what good is a Threat Intelligence solution if the relevant alerts are buried or hidden by sheer numbers? Alerts should be both automated and security focused. A useful Threat Intelligence solution will prioritize the alerts and provide enough context for an analyst to easily investigate an attack and put the pieces together.

CloudGuard’s generated alerts correspond to different attack techniques that are outlined in the MITRE ATT&CK® framework. Ordered by priority (risk level), here are the relevant alerts CloudGuard would generate for this attack using its cloud intelligence and threat hunting capability:

The first is Suspicious EC2 Instance without KeyPair was launched but with the UserData attribute. As previously mentioned, this is a known privilege escalation technique utilized by attackers.

The second is Anomaly Detection – Anomalous network traffic. CloudGuard uses machine learning to build a baseline of normal behaviors. It will alert any deviations from this baseline. This alert gives the context needed to understand that data was extracted from your environment. The logs will show you all of the relevant IP addresses involved and the specific bytes related to the outbound data shift.

The next alert is Login to AWS console from a new location. This alert also utilizes machine learning and AI capabilities. If a login occurred from a location that it outside of the normal behavior scope, CloudGuard will generate an alert that provides information about the login such as country and IP address.

The last alert is Successful login without MFA. This alert has the lowest priority or risk level (Informational). By itself, it would not be alarming, unless there is a strictly enforced company policy of using MFA. However, in parallel with all the other alerts, it helps to complete the picture of the attack that occurred.

Understanding how and when a cloud breach occurred is no small feat. There are many pieces of the puzzle that must be put together. CloudGuard provides the context and security oriented alerts needed for cloud intelligence and threat hunting, to assist in understanding the how and why a breach took place.

For more information and to request a demo, please visit