hunting/aws/docs/ec2_high_instance_deployment_count_attempts.md

# High EC2 Instance Deployment Count Attempts by Single User or Role

---

## Metadata

- **Author:** Elastic
- **Description:** This hunting query identifies when a user makes EC2 `RunInstances` API calls with a high instance deployment count within a 7-day window. The `RunInstances` API call launches one or more instances in a specified subnet. High instance deployment counts may indicate an adversary attempting to deploy a large number of instances for cryptomining or other malicious activities. This may also aid in identifying potential resource abuse or misconfigurations.

- **UUID:** `c3d24ae8-655d-11ef-a990-f661ea17fbcc`
- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)
- **Language:** `[ES|QL]`
- **Source File:** [High EC2 Instance Deployment Count Attempts by Single User or Role](../queries/ec2_high_instance_deployment_count_attempts.toml)

## Query

```sql
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where
    event.dataset == "aws.cloudtrail"
    and event.provider == "ec2.amazonaws.com"
    and event.action == "RunInstances"
    and aws.cloudtrail.request_parameters RLIKE ".*minCount.*maxCount.*"
| eval date = DATE_FORMAT("YYYY-mm-dd", @timestamp)
| dissect aws.cloudtrail.request_parameters "%{}subnetId=%{subnet_id},"
| dissect aws.cloudtrail.request_parameters "%{}minCount=%{min_count},"
| dissect aws.cloudtrail.request_parameters "%{}maxCount=%{max_count}}]},"
| dissect aws.cloudtrail.request_parameters "%{}instanceType=%{instance_type},"
| stats
    target_instance_count = sum(to_integer(max_count) - to_integer(min_count) + 1),
    user_attempts = count(*) by user.name, date, subnet_id, instance_type, event.outcome
| where target_instance_count >= 10
```

## Notes

- Use the `aws.cloudtrail.user_identity.arn` field to identify the user making the requests and their role permissions
- Review `cloud.region` to identify the regions where the `RunInstances` API calls were made
- `subnet_id` should be reviewed to identify the subnet where the instances are being deployed but can also help pivot and narrow down the scope of further queries
- `instance_type` should be reviewed to identify the type of instances being deployed. Cryptomining campaigns often deploy specific instance types to maximize mining efficiency

## MITRE ATT&CK Techniques

- [T1578.002](https://attack.mitre.org/techniques/T1578/002)

## License

- `Elastic License v2`
[New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988 ) 2024-09-04 10:08:44 -04:00			`# High EC2 Instance Deployment Count Attempts by Single User or Role`

			`---`

			`## Metadata`

			`- Author: Elastic`
			- Description: This hunting query identifies when a user makes EC2 `RunInstances` API calls with a high instance deployment count within a 7-day window. The `RunInstances` API call launches one or more instances in a specified subnet. High instance deployment counts may indicate an adversary attempting to deploy a large number of instances for cryptomining or other malicious activities. This may also aid in identifying potential resource abuse or misconfigurations.

			- UUID: `c3d24ae8-655d-11ef-a990-f661ea17fbcc`
			`- Integration: [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)`
			- Language: `[ES\|QL]`
			`- Source File: [High EC2 Instance Deployment Count Attempts by Single User or Role](../queries/ec2_high_instance_deployment_count_attempts.toml)`

			`## Query`

			```sql
			`from logs-aws.cloudtrail-*`
			`\| where @timestamp > now() - 7 day`
			`\| where`
			`event.dataset == "aws.cloudtrail"`
			`and event.provider == "ec2.amazonaws.com"`
			`and event.action == "RunInstances"`
			`and aws.cloudtrail.request_parameters RLIKE ".minCount.maxCount.*"`
			`\| eval date = DATE_FORMAT("YYYY-mm-dd", @timestamp)`
			`\| dissect aws.cloudtrail.request_parameters "%{}subnetId=%{subnet_id},"`
			`\| dissect aws.cloudtrail.request_parameters "%{}minCount=%{min_count},"`
			`\| dissect aws.cloudtrail.request_parameters "%{}maxCount=%{max_count}}]},"`
			`\| dissect aws.cloudtrail.request_parameters "%{}instanceType=%{instance_type},"`
			`\| stats`
			`target_instance_count = sum(to_integer(max_count) - to_integer(min_count) + 1),`
			`user_attempts = count(*) by user.name, date, subnet_id, instance_type, event.outcome`
			`\| where target_instance_count >= 10`
			```

			`## Notes`

			- Use the `aws.cloudtrail.user_identity.arn` field to identify the user making the requests and their role permissions
			- Review `cloud.region` to identify the regions where the `RunInstances` API calls were made
			- `subnet_id` should be reviewed to identify the subnet where the instances are being deployed but can also help pivot and narrow down the scope of further queries
			- `instance_type` should be reviewed to identify the type of instances being deployed. Cryptomining campaigns often deploy specific instance types to maximize mining efficiency

			`## MITRE ATT&CK Techniques`

			`- [T1578.002](https://attack.mitre.org/techniques/T1578/002)`

			`## License`

			- `Elastic License v2`