IR-008cloudv1.0.0

Cloud Resource Hijacking (Cryptomining and Unauthorized Compute)

⚠️ high⚠️ critical

⏱ Est. Time35m

📋 Steps9 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution60m

★ View on GitHub

🎯 MITRE ATT&CK

T1496 T1578.002 T1578.003 T1190 T1552.005 T1098.001 T1526

🔧 Tools Required

aws cloudtrailaws guarddutyaws cost exploreraws iamsiem

⚡ Triggers

cloud_cost_anomaly_alertaws_guardduty_cryptomining_findingcompute_usage_spikebilling_threshold_breachsiem_unusual_instance_creation

🔌 Integrations

req

aws guardduty

CryptoCurrency:EC2/BitcoinTool.B, UnauthorizedAccess:EC2/TorClient findings

req

aws cost explorer

Cost anomaly detection and usage breakdown by service/region

req

aws cloudtrail

Full API audit trail for instance creation and credential usage

opt

datadog

Cloud cost monitoring and compute anomaly detection

opt

lacework

Cloud security posture and anomaly detection alternative

Click each step to expand the full procedure, automation hints, and expected outputs.

Quantify the financial and resource impact: identify which AWS services are showing anomalous costs (EC2, GPU instances, Lambda, ECS), which regions, and which accounts. Cryptomining typically uses compute-intensive instance types (c5.9xlarge, p3.16xlarge, g4dn instances). Check cost anomaly vs. normal baseline. Calculate hourly burn rate to quantify urgency.

⚡ Automation Hint

AWS CLI: aws ce get-cost-and-usage --time-period Start=<start>,End=<end> --granularity DAILY --metrics BlendedCost --group-by Type=DIMENSION,Key=SERVICE AWS Cost Anomaly: aws ce get-anomalies --date-interval StartDate=<date>,EndDate=<date> Boto3: ce.get_cost_forecast(TimePeriod=..., Metric='BLENDED_COST', Granularity='MONTHLY')

📤 Outputs

cost_impact_usdaffected_servicesaffected_regionshourly_burn_rate