Unauthorized EC2 Instance Setup Attempt
| Id | f7210a45-12a4-4d02-b59e-f23476827a4b |
| Rulename | Unauthorized EC2 Instance Setup Attempt |
| Description | A User without access tried to Run an Instance. It might be to launch a malicious Instance in AWS subscription. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances/ |
| Severity | Medium |
| Tactics | ResourceDevelopment |
| Techniques | T1583 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml |
| Version | 1.0.0 |
| Arm template | f7210a45-12a4-4d02-b59e-f23476827a4b.json |
AWSCloudTrail
| where EventName == "RunInstances"
| where ErrorCode == "Client.UnauthorizedOperation"
| project TimeGenerated, AwsEventId, EventTypeName, UserIdentityPrincipalid, UserIdentityType, UserIdentityAccountId, SessionMfaAuthenticated, SessionCreationDate, SessionIssuerUserName, SourceIpAddress, AWSRegion, UserAgent, RequestParameters, ErrorMessage
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
status: Available
queryPeriod: 10m
version: 1.0.0
id: f7210a45-12a4-4d02-b59e-f23476827a4b
tactics:
- ResourceDevelopment
description: |
'A User without access tried to Run an Instance. It might be to launch a malicious Instance in AWS subscription. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances/'
queryFrequency: 10m
triggerThreshold: 0
name: Unauthorized EC2 Instance Setup Attempt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml
query: |
AWSCloudTrail
| where EventName == "RunInstances"
| where ErrorCode == "Client.UnauthorizedOperation"
| project TimeGenerated, AwsEventId, EventTypeName, UserIdentityPrincipalid, UserIdentityType, UserIdentityAccountId, SessionMfaAuthenticated, SessionCreationDate, SessionIssuerUserName, SourceIpAddress, AWSRegion, UserAgent, RequestParameters, ErrorMessage
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UpnSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: SourceIpAddress
identifier: Address
entityType: IP
relevantTechniques:
- T1583
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7210a45-12a4-4d02-b59e-f23476827a4b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7210a45-12a4-4d02-b59e-f23476827a4b')]",
"properties": {
"alertRuleTemplateName": "f7210a45-12a4-4d02-b59e-f23476827a4b",
"customDetails": null,
"description": "'A User without access tried to Run an Instance. It might be to launch a malicious Instance in AWS subscription. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances/'\n",
"displayName": "Unauthorized EC2 Instance Setup Attempt",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UpnSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml",
"query": "AWSCloudTrail\n| where EventName == \"RunInstances\"\n| where ErrorCode == \"Client.UnauthorizedOperation\"\n| project TimeGenerated, AwsEventId, EventTypeName, UserIdentityPrincipalid, UserIdentityType, UserIdentityAccountId, SessionMfaAuthenticated, SessionCreationDate, SessionIssuerUserName, SourceIpAddress, AWSRegion, UserAgent, RequestParameters, ErrorMessage\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"ResourceDevelopment"
],
"techniques": [
"T1583"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}