Unusual EC2 Instance Creation with Unseen Instance Type
An attacker may create new EC2 instances with previously unseen instance types, indicating potential unauthorized or suspicious activity such as cryptomining or data exfiltration.
This analytic detects the creation of EC2 instances with previously unseen instance types. It is based on monitoring AWS CloudTrail logs and identifying instance types that have not been previously recorded in a lookup table. This activity is significant because it can indicate that an attacker is attempting to create instances for malicious purposes, such as cryptomining, deploying unauthorized applications, or staging data exfiltration. The technique relies on the attacker gaining access to an AWS account, either through compromised credentials or by exploiting misconfigurations. A successful attack could lead to unauthorized access, data exfiltration, system compromise, or service disruption.
Attack Chain
- Initial access to the AWS environment through compromised credentials or an exposed API key (T1578.002).
- The attacker attempts to enumerate existing EC2 instances to understand the current infrastructure.
- The attacker launches a new EC2 instance using a previously unseen instance type. This could be a specialized instance optimized for GPU processing or a type that is not typically used in the victim's environment.
- The attacker configures the new instance, potentially installing malicious software or configuring network access.
- The attacker uses the newly created instance to perform cryptomining or other compute-intensive tasks.
- Alternatively, the attacker uses the instance as a staging ground for data exfiltration or lateral movement within the cloud environment.
- The attacker attempts to cover their tracks by deleting CloudTrail logs or disabling monitoring (unlikely given CloudTrail immutability, but attempted).
Impact
A successful attack can lead to unauthorized resource consumption, with the attacker using the compromised AWS account for cryptomining, costing the victim money. The attacker can also use the instance to perform other malicious activities, such as data exfiltration or launching attacks against other systems. The number of victims depends on the scope of the access the attacker gains and the effectiveness of the security controls in place.
Recommendation
- Run the baseline searches
Previously Seen Cloud Compute Instance Types - InitialandPreviously Seen Cloud Compute Instance Types - Updateto build and maintain a lookup table of known instance types as described in the "how_to_implement" section. - Deploy the Sigma rule
Detect EC2 Instance Creation With Previously Unseen Instance Typeto detect the creation of EC2 instances with previously unseen instance types. - Investigate any alerts generated by the Sigma rule, focusing on the user account and the purpose of the newly created instance.
- Enable multi-factor authentication (MFA) for all AWS accounts to prevent credential compromise (T1578.002).
Detection coverage 2
Detect EC2 Instance Creation With Previously Unseen Instance Type
mediumDetects EC2 instances being created with previously unseen instance types, which may indicate suspicious or malicious activity.
Detect Root User EC2 Instance Creation With Previously Unseen Instance Type
highDetects EC2 instances being created with previously unseen instance types by the root user, which may indicate suspicious or malicious activity.
Detection queries are available on the platform. Get full rules →