Back to all detections

AWS Cryptomining

AWS Cryptomining

Possible Root Causes

Example Scenarios

Business Impact

Steps to Investigate

MITRE ATT&CK Techniques

Related Detections

Detection overview

Triggers

Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.

Possible Root Causes

An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.

Business Impact

High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.

Steps to Verify

Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.

AWS Cryptomining

Possible root causes

Malicious Detection

Benign Detection

AWS Cryptomining

Example scenarios

AWS Cryptomining

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Cryptomining

Steps to investigate

AWS Cryptomining

MITRE ATT&CK techniques covered

Resource Hijacking

AWS Cryptomining

Related detections

No items found.

FAQs