Launch EC2 instance with Malicious AMI¶
| Platform | Author | Last Update |
|---|---|---|
| aws | Mehmet Mert Surmeli | 2023-07-01 |
An threat actor may attempt to launch an EC2 host with an malicious AMI.
MITRE IDs¶
Required Permissions¶
- ec2:RunInstances
Required Parameters¶
| Name | Type | Description | Example Value |
|---|---|---|---|
| imageid | str | Id of the malicious AMI | ami-0abcdef1234567890 |
| instancetype | str | The instance type | t2.micro |
| keyname | str | The name of the key pair | MyKeyPair |
| subnetid | str | Id of the subnet for the malicious AMI to be published | subnet-0abcdef1234567890 |
| maxcount | int | The maximum number of instances to launch | 1 |
| mincount | int | The minimum number of instances to launch | 1 |
Attacker Action¶
aws ec2 run-instances
--image-id ami-0abcdef1234567890
--instance-type t2.micro
--key-name MyKeyPair
--subnet-id subnet-0abcdef1234567890
--count 1
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:RunInstances AND eventSource:*.ec2.amazonaws.com
Sigma Definition¶
---
title: Launch EC2 instance with Malicious AMI
id: 645c19fa-b7dd-4679-853d-c64335200312
status: experimental
author: Mehmet Mert Surmeli
date: 2023-07-01
description: An threat actor may attempt to launch an EC2 host with an malicious AMI.
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: "*.ec2.amazonaws.com"
events:
- eventName: "RunInstances"
condition: selection_source AND events
level: low
tags:
- attack.T1059