ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT115
  • Created: 29th April 2025
  • Updated: 29th April 2025
  • Platform: Amazon Web Services (AWS)
  • Contributor: The ITM Team

AWS Unauthorized System or Service Modification

Monitor AWS CloudTrail logs to detect unauthorized creation, modification, or deletion of compute, storage, network, or management resources. Unauthorized resource activity may indicate insider preparation for data exfiltration, illicit compute use, or unauthorized persistent access.

 

Where to Configure/Access

 

Detection Methods

Monitor CloudTrail API event types such as:

  • RunInstances (EC2 instance creation)
  • CreateVolume (EBS volumes)
  • CreateBucket (S3 buckets)
  • CreateFunction / UpdateFunctionCode (Lambda functions)
  • CreateCluster (ECS/EKS clusters)

 

Configure event selectors to capture management events across all regions.

Set metric filters and alarms for suspicious activity through CloudWatch.

 

Indicators

  • Unapproved resources provisioned without matching Infrastructure as Code deployments.
  • Resources created manually via console or CLI outside approved automation frameworks.
  • Resources missing mandatory organizational tags (e.g., project ID, owner).

Sections

ID Name Description
IF009.006Installing Crypto Mining Software

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

 

Characteristics

  • Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
  • May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
  • Often configured to throttle resource usage during business hours to evade human and telemetry detection.
  • Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
  • Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
  • Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

 

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.