Skip to main content

Unexpected AWS EC2 instance launch

ID:aws_ec2_launch_anomaly
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1578.002

Description

AlphaSOC detected an AWS Elastic Cloud Compute (EC2) instance that was launched in an unexpected way, potentially indicating unauthorized or malicious activity. This finding indicates that the instance was launched from an unexpected ASN or by an unexpected user agent, which could be used by the threat actor to gain access to AWS credentials or exploit misconfigurations in the cloud environment. EC2 instance launches initiated by AWS services are exempt from detection to avoid false positives.

Impact

An unexpectedly launched EC2 instance can have significant consequences for an organization's cloud security. Threat actors can create new EC2 instances to gain unauthorized access to sensitive data, move laterally within the cloud environment, increase the cost of cloud usage, or use it as a platform for further attacks. The compromised instance could also be used to exfiltrate data or launch attacks on other systems, both inside and outside the organization's network.

Severity

SeverityCondition
Low
EC2 instance launched by a client IP within an unexpected ASN
Low
EC2 instance launched by a client with an unexpected user agent

Investigation and Remediation

Investigate the EC2 instance's launch details, including the responsible user or IAM role, instance type, and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.