AWS API calls indicating Autoscaling large group launch
Description
AlphaSOC detected creation or modification of an AWS Auto Scaling group with a
large desired capacity using CreateAutoScalingGroup or
UpdateAutoScalingGroup actions. This detection identifies large-scale Auto
Scaling operations performed from unusual locations, with unfamiliar user
agents, or in unexpected regions. While organizations may legitimately scale to
high capacity during traffic spikes or planned deployments, threat actors can
exploit this capability to rapidly provision large fleets of instances for
cryptomining, DDoS botnets, or resource hijacking attacks.
Impact
Unauthorized deployment of large Auto Scaling groups can generate unexpected cloud costs through rapid provisioning of EC2 instances for cryptomining or other resource-intensive operations. Large-scale instance deployments may exhaust service quotas and EC2 limits, potentially disrupting legitimate workloads. The compromised infrastructure can be used for distributed computing tasks, attacks against external targets, or lateral movement within the environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review CloudTrail logs to identify the Auto Scaling action
(CreateAutoScalingGroup or UpdateAutoScalingGroup) and examine the
desiredCapacity parameter to determine the requested instance count. Identify
the responsible IAM user or role and verify the source IP address, ASN, and user
agent to confirm whether the activity originated from expected infrastructure.
Inspect the Auto Scaling group configuration including instance types, launch
templates, and user data scripts for malicious payloads.
If unauthorized, immediately set the Auto Scaling group's desired capacity to zero to stop new instance launches, then terminate all running instances associated with the group. Revoke the compromised IAM credentials and rotate access keys. Review AWS billing and usage reports to assess financial impact. Implement IAM policy restrictions to limit Auto Scaling permissions and establish AWS Config rules or Service Control Policies to prevent large-capacity deployments without approval.
Known False Positives
- Legitimate infrastructure scaling during planned deployments, load testing, or traffic surge events