security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/aws/docs/ec2_high_instance_deployment_count_attempts.md
T
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00

2.4 KiB
Raw Blame History

High EC2 Instance Deployment Count Attempts by Single User or Role

Metadata

  • Author: Elastic

  • Description: This hunting query identifies when a user makes EC2 RunInstances API calls with a high instance deployment count within a 7-day window. The RunInstances API call launches one or more instances in a specified subnet. High instance deployment counts may indicate an adversary attempting to deploy a large number of instances for cryptomining or other malicious activities. This may also aid in identifying potential resource abuse or misconfigurations.

  • UUID: c3d24ae8-655d-11ef-a990-f661ea17fbcc

  • Integration: aws.cloudtrail

  • Language: [ES|QL]

  • Source File: High EC2 Instance Deployment Count Attempts by Single User or Role

Query

from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where
    event.dataset == "aws.cloudtrail"
    and event.provider == "ec2.amazonaws.com"
    and event.action == "RunInstances"
    and aws.cloudtrail.request_parameters RLIKE ".*minCount.*maxCount.*"
| eval date = DATE_FORMAT("YYYY-mm-dd", @timestamp)
| dissect aws.cloudtrail.request_parameters "%{}subnetId=%{subnet_id},"
| dissect aws.cloudtrail.request_parameters "%{}minCount=%{min_count},"
| dissect aws.cloudtrail.request_parameters "%{}maxCount=%{max_count}}]},"
| dissect aws.cloudtrail.request_parameters "%{}instanceType=%{instance_type},"
| stats
    target_instance_count = sum(to_integer(max_count) - to_integer(min_count) + 1),
    user_attempts = count(*) by user.name, date, subnet_id, instance_type, event.outcome
| where target_instance_count >= 10

Notes

  • Use the aws.cloudtrail.user_identity.arn field to identify the user making the requests and their role permissions
  • Review cloud.region to identify the regions where the RunInstances API calls were made
  • subnet_id should be reviewed to identify the subnet where the instances are being deployed but can also help pivot and narrow down the scope of further queries
  • instance_type should be reviewed to identify the type of instances being deployed. Cryptomining campaigns often deploy specific instance types to maximize mining efficiency

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink