Launch Unusual EC2 instances
MITRE ATT&CK Tactics
Attempts to launch several unusual EC2 instances (p2.xlarge).
Warm-up: Creates an IAM role that doesn't have permissions to launch EC2 instances. This ensures the attempts is not successful, and the attack technique is fast to detonate.
Detonation: Attempts to launch several unusual EC2 instances. The calls will fail as the IAM role does not have sufficient permissions.
Trough CloudTrail events with the event name
RunInstances and error
eventSource will be
ec2.amazonaws.com and the
field will contain the instance type that was attempted to be launched.
Depending on your account limits you might also see
VcpuLimitExceeded error codes.