Launching EC2 instances







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




When an attacker compromises an AWS account, they can launch EC2 instances to hijack resources, mine cryptocurrency, or escalate their privileges.

Understanding Impact

Business Impact

An attacker running EC2 virtual machines in your environment represents both a financial risk (increase in your AWS bill) and a liability. Attackers frequently commit abuse and fraud from compromised infrastructure.

Technical Impact

It is common for attackers to run instances in unused regions. When instances are used for cryptocurrency mining, they typically have GPUs attached.


You can identify when an EC2 instance is launched using the CloudTrail event RunInstances.

In particular, look for:

  • Instances being created in regions you do not use.
  • Instances with unusual sizes and characteristics for your organization. For example, attackers running EC2 instances to perform cryptocurrency mining frequently use GPU-backed instances such as p2.xlarge.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.execution.ec2-launch-unusual-instances

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "New EC2 Instance Type".


Stratus Red Team - Launch Unusual EC2 instances

Incident where an attacker launched 200+ EC2 instances

M-Trends 2021

Expel Quarterly Threat Report - Q1 2022

Did you find this article helpful?