Suspicious AWS EC2 Compute Resource Deployments

Back


Id	9e457dc4-81f0-4d25-bc37-a5fa4a17946a
Rulename	Suspicious AWS EC2 Compute Resource Deployments
Description	This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.
Severity	Medium
Tactics	Impact
Techniques	T1496
Required data connectors	AWS
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml
Version	1.0.1
Arm template	9e457dc4-81f0-4d25-bc37-a5fa4a17946a.json

KQL

// Retrieve AWS CloudTrail events generated within the last day
AWSCloudTrail
// Filter events related to instance creation
| where EventName =~ "RunInstances"
// Exclude events with error messages
| where isempty(ErrorMessage)
// Extract the event source type
| extend EventSourceSplit = split(EventSource, ".")
| extend Type = tostring(EventSourceSplit[0])
// Extract instance-related details from the event data
| extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)
// Determine the operating system platform
| extend OSplatform = iff(isempty(platform), tostring("Linux"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
// Filter out instances with empty core values
| where isnotempty(core)
// Calculate the total compute based on core and thread counts
| extend totalCorecompute = core * corThread
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
// Summarize relevant information for analysis
| summarize Start= min(TimeGenerated),
  end=   max(TimeGenerated),
  totalgpu= sum(totalCorecompute)
  by SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserAgent
// Filter results based on total GPU compute and time duration
| where totalgpu > 800
| where datetime_diff('hour', end, Start) < 8

YAML

customDetails:
  AWSUser: UserIdentityArn
  SourceIpAddress: SourceIpAddress
  UserAgent: UserAgent
id: 9e457dc4-81f0-4d25-bc37-a5fa4a17946a
query: |
  // Retrieve AWS CloudTrail events generated within the last day
  AWSCloudTrail
  // Filter events related to instance creation
  | where EventName =~ "RunInstances"
  // Exclude events with error messages
  | where isempty(ErrorMessage)
  // Extract the event source type
  | extend EventSourceSplit = split(EventSource, ".")
  | extend Type = tostring(EventSourceSplit[0])
  // Extract instance-related details from the event data
  | extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)
  // Determine the operating system platform
  | extend OSplatform = iff(isempty(platform), tostring("Linux"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
  // Filter out instances with empty core values
  | where isnotempty(core)
  // Calculate the total compute based on core and thread counts
  | extend totalCorecompute = core * corThread
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  // Summarize relevant information for analysis
  | summarize Start= min(TimeGenerated),
    end=   max(TimeGenerated),
    totalgpu= sum(totalCorecompute)
    by SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserAgent
  // Filter results based on total GPU compute and time duration
  | where totalgpu > 800
  | where datetime_diff('hour', end, Start) < 8  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml
description: |
    'This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.
name: Suspicious AWS EC2 Compute Resource Deployments
relevantTechniques:
- T1496
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.1
kind: Scheduled
tactics:
- Impact
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e457dc4-81f0-4d25-bc37-a5fa4a17946a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e457dc4-81f0-4d25-bc37-a5fa4a17946a')]",
      "properties": {
        "alertRuleTemplateName": "9e457dc4-81f0-4d25-bc37-a5fa4a17946a",
        "customDetails": {
          "AWSUser": "UserIdentityArn",
          "SourceIpAddress": "SourceIpAddress",
          "UserAgent": "UserAgent"
        },
        "description": "'This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.\n",
        "displayName": "Suspicious AWS EC2 Compute Resource Deployments",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "RecipientAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml",
        "query": "// Retrieve AWS CloudTrail events generated within the last day\nAWSCloudTrail\n// Filter events related to instance creation\n| where EventName =~ \"RunInstances\"\n// Exclude events with error messages\n| where isempty(ErrorMessage)\n// Extract the event source type\n| extend EventSourceSplit = split(EventSource, \".\")\n| extend Type = tostring(EventSourceSplit[0])\n// Extract instance-related details from the event data\n| extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)\n// Determine the operating system platform\n| extend OSplatform = iff(isempty(platform), tostring(\"Linux\"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)\n// Filter out instances with empty core values\n| where isnotempty(core)\n// Calculate the total compute based on core and thread counts\n| extend totalCorecompute = core * corThread\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n  AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n// Summarize relevant information for analysis\n| summarize Start= min(TimeGenerated),\n  end=   max(TimeGenerated),\n  totalgpu= sum(totalCorecompute)\n  by SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserAgent\n// Filter results based on total GPU compute and time duration\n| where totalgpu > 800\n| where datetime_diff('hour', end, Start) < 8\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1496"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}