Skip to content
Threat Feed
medium advisory

Unusual EC2 Instance Creation with Unseen Instance Type

An attacker may create new EC2 instances with previously unseen instance types, indicating potential unauthorized or suspicious activity such as cryptomining or data exfiltration.

This analytic detects the creation of EC2 instances with previously unseen instance types. It is based on monitoring AWS CloudTrail logs and identifying instance types that have not been previously recorded in a lookup table. This activity is significant because it can indicate that an attacker is attempting to create instances for malicious purposes, such as cryptomining, deploying unauthorized applications, or staging data exfiltration. The technique relies on the attacker gaining access to an AWS account, either through compromised credentials or by exploiting misconfigurations. A successful attack could lead to unauthorized access, data exfiltration, system compromise, or service disruption.

Attack Chain

  1. Initial access to the AWS environment through compromised credentials or an exposed API key (T1578.002).
  2. The attacker attempts to enumerate existing EC2 instances to understand the current infrastructure.
  3. The attacker launches a new EC2 instance using a previously unseen instance type. This could be a specialized instance optimized for GPU processing or a type that is not typically used in the victim's environment.
  4. The attacker configures the new instance, potentially installing malicious software or configuring network access.
  5. The attacker uses the newly created instance to perform cryptomining or other compute-intensive tasks.
  6. Alternatively, the attacker uses the instance as a staging ground for data exfiltration or lateral movement within the cloud environment.
  7. The attacker attempts to cover their tracks by deleting CloudTrail logs or disabling monitoring (unlikely given CloudTrail immutability, but attempted).

Impact

A successful attack can lead to unauthorized resource consumption, with the attacker using the compromised AWS account for cryptomining, costing the victim money. The attacker can also use the instance to perform other malicious activities, such as data exfiltration or launching attacks against other systems. The number of victims depends on the scope of the access the attacker gains and the effectiveness of the security controls in place.

Recommendation

  • Run the baseline searches Previously Seen Cloud Compute Instance Types - Initial and Previously Seen Cloud Compute Instance Types - Update to build and maintain a lookup table of known instance types as described in the "how_to_implement" section.
  • Deploy the Sigma rule Detect EC2 Instance Creation With Previously Unseen Instance Type to detect the creation of EC2 instances with previously unseen instance types.
  • Investigate any alerts generated by the Sigma rule, focusing on the user account and the purpose of the newly created instance.
  • Enable multi-factor authentication (MFA) for all AWS accounts to prevent credential compromise (T1578.002).

Detection coverage 2

Detect EC2 Instance Creation With Previously Unseen Instance Type

medium

Detects EC2 instances being created with previously unseen instance types, which may indicate suspicious or malicious activity.

sigma tactics: resource_development techniques: T1578.002 sources: cloudtrail, aws

Detect Root User EC2 Instance Creation With Previously Unseen Instance Type

high

Detects EC2 instances being created with previously unseen instance types by the root user, which may indicate suspicious or malicious activity.

sigma tactics: resource_development techniques: T1578.002 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →