it is possible that an admin will create a new system using a new instance type that has never been used before. verify with the creator that they intended to create the system with the new instance type.

Techniques

T1578.002

Sample rules

Cloud Compute Instance Created With Previously Unseen Instance Type

source: splunk
technicques:
- T1578.002

Description

The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk’s tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.

Detection logic


| tstats count earliest(_time) as firstTime
               latest(_time) as lastTime
               values(All_Changes.object_id) as dest
FROM datamodel=Change WHERE

All_Changes.action=created

BY All_Changes.Instance_Changes.instance_type All_Changes.user


| `drop_dm_object_name("All_Changes")`

| `drop_dm_object_name("Instance_Changes")`

| where instance_type != "unknown"

| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data

| eventstats max(enough_data) as enough_data

| where enough_data=1

| eval firstTimeSeenInstanceType=min(firstTimeSeen)

| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h")

| table firstTime, user, dest, count, instance_type

| `security_content_ctime(firstTime)`

| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`