Skip to content

Launch Unusual EC2 instances

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Execution

Description

Attempts to launch several unusual EC2 instances (p2.xlarge).

Warm-up: Creates an IAM role that doesn't have permissions to launch EC2 instances. This ensures the attempts is not successful, and the attack technique is fast to detonate.

Detonation: Attempts to launch several unusual EC2 instances. The calls will fail as the IAM role does not have sufficient permissions.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.execution.ec2-launch-unusual-instances

Detection

Trough CloudTrail events with the event name RunInstances and error Client.UnauthorizedOperation. The eventSource will be ec2.amazonaws.com and the requestParameters.instanceType field will contain the instance type that was attempted to be launched.

Depending on your account limits you might also see VcpuLimitExceeded error codes.