Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when a user creates a high volume of EC2 instances and disables API termination protection on multiple instances.

Strategy

This rule monitors AWS CloudTrail logs for suspicious EC2 instance creation and configuration patterns. It triggers when it detects more than 10 RunInstances events containing @requestParameters.userData, combined with more than 10 ModifyInstanceAttribute events that set @requestParameters.disableApiTermination.value to true.

Disabling API termination prevents instances from being terminated through the AWS API, making it more difficult to shut down unauthorized compute resources. This pattern is commonly associated with resource hijacking attacks, where adversaries create multiple instances for cryptomining and enable termination protection to maintain persistence.

Triage & Response

• Examine the EC2 instances launched by {{@userIdentity.arn}} to verify if the instance creation pattern and volume align with legitimate business operations.
• Review the userData scripts associated with the launched instances to determine if they contain malicious code or cryptomining software.
• Check the instance types, regions, and configurations to identify if they match expected organizational infrastructure patterns.
• Analyze recent authentication activity for the identity to determine if the account may have been compromised.
• Verify if the API termination protection changes were authorized and have a legitimate operational justification.
• Review billing and cost data for unusual spikes in EC2 compute charges that would indicate resource hijacking.