Tags
Cloud
ATT&CK Tactic
Credential Access (TA0006)
Incidents
SilentBob cryptomining campaign
Last edited
Jun 24, 2024 7:57 AM
Status
Stub
Theft of EC2 instance credentials from the Instance Metadata Service.
Attacker executes an SSM command on the instance to retrieve temporary credentials, then uses these credentials locally (outside the instance) to run the following commands:
- sts:GetCallerIdentity
- ec2:DescribeInstances