title: AWS ECS Backdoor Task Definition
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: experimental
description: Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.
author: Darin Smith
date: 2022/06/07
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ecs__backdoor_task_def/main.py
    - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
    - https://attack.mitre.org/techniques/T1525
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ecs.amazonaws.com
        eventName:
            - DescribeTaskDefinition
            - RegisterTaskDefinition
            - RunTask
        requestParameters.containerDefinitions.command|contains|all:
            - '169.254'
            - '$AWS_CONTAINER_CREDENTIALS'
    condition: selection
level: medium
tags:
    - attack.persistence
    - attack.t1525
falsepositives:
 - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons