Detects a coordinated sequence of EC2 management API calls that is characteristic of modifying an instance's user data and forcing the instance to reboot to execute the payload. The rule aggregates CloudTrail success events for StopInstances, StartInstances, and ModifyInstanceAttribute (with userData in request parameters) within five-minute windows and buckets them by instance_id, user.name, cloud.account.id, user_agent.original, and source.ip. A hit is triggered only when three distinct API actions occur in the same bucket, indicating a potential attempt to modify user data and cycle the instance to run code on boot. This behavior can be used by attackers to execute malicious scripts with root privileges on Linux or system context on Windows. The detection uses an ES query that extracts instance IDs from aws.cloudtrail.request_parameters, computes a 5-minute time bucket, and then requires Esql.event_action_unique_count == 3, while excluding calls from known automation tools and certain AWS origins to reduce benign noise. The alert’s fields (instance, account, caller, IP, user agent, and time) should be used to retrieve the underlying CloudTrail events and payloads for inspection. The rule maps to MITRE ATT&CK techniques: T1578 (Modify Cloud Compute Infrastructure) under Defense Evasion and T1059 (Command and Scripting Interpreter) with a Cloud API subtechnique, reflecting abuse of API surfaces to alter execution context. Potentially legitimate maintenance tasks or automation could mimic this pattern, so correlative checks on caller identity, tickets, and the legitimacy of the user data changes are advised during triage.