AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content

Last updated 5 days ago on 2026-06-29
Created 5 days ago on 2026-06-29

About

Identifies an Amazon SageMaker notebook lifecycle configuration whose OnStart or OnCreate script, after base64 decoding, contains patterns associated with malicious activity such as reverse shells, EC2 instance metadata (IMDS) credential access, or download-and-execute commands. A lifecycle configuration runs as root on the notebook instance, so a script with these patterns is a strong indicator of an attempt to backdoor the notebook, steal the execution role's credentials, or establish persistent code execution. This rule decodes the script in the request and matches high-signal indicators; it is a higher-fidelity companion to the rule that alerts on any lifecycle configuration change.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS SageMakerUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

False Positive Examples
Legitimate setup scripts may reference metadata endpoints or download tooling. Review the decoded script in "Esql_priv.aws_cloudtrail_lifecycle_script", verify the principal in "aws.cloudtrail.user_identity.arn", and confirm the activity is approved. Note this rule only matches unobfuscated patterns; a clean result does not guarantee a benign script.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
FROM logs-aws.cloudtrail-* METADATA _id, _version, _index | WHERE event.provider == "sagemaker.amazonaws.com" AND event.action IN ("CreateNotebookInstanceLifecycleConfig", "UpdateNotebookInstanceLifecycleConfig") AND event.outcome == "success" AND aws.cloudtrail.user_identity.type != "AWSService" | GROK aws.cloudtrail.request_parameters "[Cc]ontent=(?<script_b64>[A-Za-z0-9+/=]+)" | EVAL Esql_priv.aws_cloudtrail_lifecycle_script = FROM_BASE64(script_b64) | WHERE TO_LOWER(Esql_priv.aws_cloudtrail_lifecycle_script) RLIKE """.*(/dev/tcp/|/dev/udp/|bash -i|sh -i|nc -e|ncat |socat |mkfifo|169\.254\.169\.254|/latest/meta-data/|/latest/api/token|\| ?sh|\| ?bash|base64 -d|import socket|pty\.spawn|perl -e|ruby -rsocket|php -r|xmrig|minerd|stratum\+|authorized_keys|/etc/cron|crontab ).*""" | KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*, Esql_priv.aws_cloudtrail_lifecycle_script

Install detection rules in Elastic Security

Detect AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).