This detection rule identifies changes made to the startup shell script of AWS EC2 instances by monitoring specific events in AWS CloudTrail. The rule focuses on the `ModifyInstanceAttribute` event where the `userData` attribute is modified. Whenever the startup script (user data) is altered, the script can execute with root/SYSTEM privileges on instance boot, potentially indicating malicious activity. The rule captures events from Amazon EC2 (using the `ec2.amazonaws.com` event source), which provides an indication of attacks targeting the execution of shell commands or scripts on the EC2 instances. Given the impact of unauthorized changes to startup scripts, this detection can help security teams track and respond to potential configuration tampering and escalate incidents according to the identified malicious behavior.