
AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content
Elastic Detection Rules
View SourceSummary
Detects suspicious content in AWS SageMaker notebook lifecycle configurations (OnStart or OnCreate) by base64-decoding the lifecycle script and scanning for high-signal indicators of malicious activity. The rule listens to CloudTrail events CreateNotebookInstanceLifecycleConfig/UpdateNotebookInstanceLifecycleConfig that succeed and originate from non-service principals, then decodes the field Esql_priv.aws_cloudtrail_lifecycle_script (base64) and checks for patterns indicative of reverse shells (e.g., /dev/tcp/, /dev/udp/, bash -i, nc -e, ncat, socat, mkfifo, import socket, pty.spawn, perl/ruby/php socket idioms), IMDS credential access (169.254.169.254, /latest/meta-data/, /latest/api/token), download-and-execute or decode-and-execute (| sh, | bash, base64 -d), cryptominer activity (xmrig, minerd, stratum+), and persistence indicators (authorized_keys, crontab, /etc/cron). A match signals a potential attempt to backdoor the notebook, steal the execution role’s credentials, or establish persistent code execution, especially since the script runs as root. The rule is a high-fidelity companion to lifecycle-configuration-change detections and provides targeted indicators to accelerate investigation. MITRE mappings include T1546 (Event Triggered Execution) and T1059 (Command and Scripting Interpreter, Unix Shell) across Execution and Persistence tactics.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1546
- T1059
- T1059.004
Created: 2026-06-29