Anomalous Cloud Compute Instance Creation by Unseen User
Detection of cloud compute instance creation by a user with no prior history of creating instances, potentially indicating unauthorized access, account compromise, or misuse of cloud resources leading to data exfiltration, increased costs, or further exploitation.
This analytic detects the creation of cloud compute instances by users who have not previously created them within the monitored environment. The detection leverages cloud infrastructure logs to identify 'create' actions and cross-references them with a baseline of known user activities. This activity is flagged as anomalous due to the deviation from established user behavior. The alert logic focuses on deviations from established cloud compute instance creation patterns, specifically looking for instances created by users absent from a baseline of known creators within the last 24 hours. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts.
Attack Chain
- Initial Access: An attacker gains access to a cloud account, potentially through compromised credentials or other means.
- Privilege Escalation (if needed): The attacker may attempt to escalate privileges within the cloud environment to gain the necessary permissions to create compute instances.
- Instance Creation: The attacker uses the compromised account to create a new cloud compute instance within the organization's cloud infrastructure.
- Resource Provisioning: The attacker configures the newly created instance, potentially installing malicious software or tools.
- Lateral Movement (optional): The attacker may use the new instance as a launching point for lateral movement within the cloud environment or to other connected networks.
- Data Exfiltration or Malicious Activity: The attacker utilizes the compute instance for malicious purposes, such as data exfiltration, cryptomining, or launching attacks against other systems.
- Persistence: The attacker may attempt to establish persistence within the new instance to maintain access even if the initial compromise is detected.
Impact
A successful attack can lead to the deployment of unauthorized compute instances, resulting in potential data exfiltration, increased cloud costs due to resource usage, and further exploitation within the cloud environment. The creation of unauthorized instances can also facilitate cryptomining activities, further increasing costs and potentially impacting performance. If undetected, attackers may use the compromised account and new cloud resources for prolonged periods, causing substantial damage and financial losses.
Recommendation
- Run the "Previously Seen Cloud Compute Creations By User" support search as documented in the alert's "How To Implement" section to establish a baseline of authorized users. This step is critical for proper rule function.
- Deploy the Sigma rule
Cloud Compute Instance Created By Previously Unseen Userto your SIEM and tune the 24-hour threshold based on your environment's specific user onboarding and resource provisioning practices. - Investigate any alerts generated by the Sigma rule by verifying with the user that the compute instance creation was authorized and intended.
- Monitor AWS CloudTrail logs for any unusual or suspicious activity related to compute instance creation, modification, or deletion, as these events are critical for detecting this type of attack.
Detection coverage 2
Cloud Compute Instance Created By Previously Unseen User
highDetects the creation of cloud compute instances by users who have not previously created them, indicating potential unauthorized access or compromised accounts.
Cloud Compute Instance Creation - Unusual Region
mediumDetects the creation of cloud compute instances in a region that a user has not previously used, potentially indicating compromised accounts or malicious activity.
Detection queries are available on the platform. Get full rules →