it's possible that a user has unknowingly started an instance in a new region. please verify that this activity is legitimate.

Techniques

T1535

Sample rules

EC2 Instance Started In Previously Unseen Region

source: splunk
technicques:
- T1535

Description

This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started

Detection logic

`cloudtrail` earliest=-1h StartInstances 
| stats earliest(_time) as earliest latest(_time) as latest by awsRegion 
| inputlookup append=t previously_seen_aws_regions.csv 
| stats min(earliest) as earliest max(latest) as latest by awsRegion 
| outputlookup previously_seen_aws_regions.csv 
| eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") 
| `security_content_ctime(earliest)` 
| `security_content_ctime(latest)` 
| where regionStatus="Instance Started in a New Region" 
| `ec2_instance_started_in_previously_unseen_region_filter`

Cloud Compute Instance Created In Previously Unused Region

source: splunk
technicques:
- T1535

Description

The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.

Detection logic


| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenRegion=min(firstTimeSeen) 
| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") 
| table firstTime, user, dest, count , vendor_region 
| `security_content_ctime(firstTime)` 
| `cloud_compute_instance_created_in_previously_unused_region_filter`