Analytic Rules — Amazon Web Services (2 added)
What Changed
Two new Analytic Rules added to the AWS CloudTrail solution. The PR description mentions one rule, but the diff contains two — AWS_EC2StartupShellScriptChanged and AWS_S3ObjectExfiltrationByAnonymousUser.
Detection Logic
EC2 Startup Shell Script Changed (Severity: Medium)
Primary data source: AWSCloudTrail
Core logic: Filters for ModifyInstanceAttribute or CreateLaunchTemplate events where userData is present in RequestParameters. The EC2 user data field is the startup shell script executed as root/SYSTEM on every instance boot — modifying it is a well-documented persistence technique (referenced in the Pacu framework). Rule fires on both live instance attribute changes and new launch template creation.
Entity types: Account (Name, UPNSuffix), IP (SourceIpAddress)
S3 Object Exfiltration from Anonymous User (Severity: Medium)
Primary data source: AWSCloudTrail
Core logic: Matches GetObject events where UserIdentityAccountId is ANONYMOUS_PRINCIPAL or UserIdentityPrincipalid is "Anonymous". Fires on any unauthenticated read of an S3 object — a direct signal that a bucket is misconfigured as publicly readable and is actively being accessed. Extracts BucketName and ObjectKey for triage.
Entity types: Account (Name, UPNSuffix), IP (SourceIpAddress)
MITRE Mapping
- T1059 — Command and Scripting Interpreter (EC2 startup script modification)
- T1530 — Data from Cloud Storage (anonymous S3 object access)
Analytic Rules — VMware ESXi (1 added)
What Changed
One new Analytic Rule added to the VMware ESXi solution detecting programmatic SSH service enablement via vim-cmd.
Detection Logic
VMware ESXi - SSH Enable on ESXi Host (Severity: High)
Primary data source: VMwareESXi table (syslog ingested via SyslogAma connector)
Core logic: Searches VMwareESXi syslog messages for both vim-cmd and hostsvc/enable_ssh. Extracts the initiating username from the [info] [username] pattern and the target ESXi hostname from the [pid] [hostname on pattern. SSH is disabled by default on ESXi hosts; enabling it programmatically via vim-cmd is a consistent precursor in VMware-targeted ransomware campaigns (e.g., BlackMatter, ESXiArgs) and hands-on-keyboard intrusions that pivot to hypervisors.
Entity types: Host (FullName), Account (Name)
MITRE Mapping
- T1021 — Remote Services (SSH enablement for lateral movement to ESXi host)
Affected Files
Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Solutions/VMWareESXi/Analytic Rules/ESXiSSHEnableOnHost.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json, Solution_AmazonWebServices.json, Solution_VMWareESXi.json, 3.0.7.zip, 3.0.4.zip)