Create an EC2 instance¶
| Platform | Author | Last Update |
|---|---|---|
| aws | Anela Tiro | 2023-07-01 |
An adversary may attempt to launch EC2 instances, especially in unused regions, in order to cryptomine. For realism, this should ideally be launched with a malicious AMI in a region the organization does not typically deploy resources.
MITRE IDs¶
Required Permissions¶
- ec2:RunInstances
- ec2:DescribeSubnets
- ec2:CreateTags
- ec2:CreateSecurityGroup
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateKeyPair
Required Parameters¶
| Name | Type | Description | Example Value |
|---|---|---|---|
| imageid | str | AMI ID | AMI_ID |
| instancetype | str | instance type | instance_type |
Attacker Action¶
aws ec2 run-instances --image-id AMI_ID --instance-type instance_type --region
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:RunInstances AND eventSource:*.ec2.amazonaws.com
Sigma Definition¶
---
title: Create an EC2 instance
id: testing
status: experimental
author: Anela Tiro
date: 2023-07-01
description: An adversary may attempt to launch EC2 instances, especially in unused regions, in order to cryptomine. For realism, this should ideally be launched with a malicious AMI in a region the organization does not typically deploy resources.
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: "*.ec2.amazonaws.com"
events:
- eventName: "RunInstances"
condition: selection_source AND events
level: low
tags:
- attack.T1535