
Summary
Detects correlated AWS ECS activity indicating a potential cryptomining deployment post-credential compromise. Within a short window (configured by the rule), a single principal registers an ECS TaskDefinition that points to a public container image and assigns a high CPU allocation (8 or 16 vCPU), and subsequently launches ECS workloads (RunTask, StartTask, or CreateService). The rule requires both events to occur by the same identity, which helps distinguish actual deployment from benign registrations of high‑compute images. It relies on CloudTrail data ingested via the Elastic AWS integration, examining aws.cloudtrail.request_parameters for image source (public registries) and cpu settings, and aws.cloudtrail.user_identity.arn for identity correlation, then cross‑correlates with subsequent ECS run/create actions. Images from public registries (e.g., docker.io, ghcr.io, quay.io, public.ecr.aws) combined with elevated CPU and a deployment event strongly suggest a mining operation being started rather than a missed‑intent registration. The rule is designed with a 30‑minute window and is marked high severity due to the potential impact of cryptomining and credential misuse. Remediation guidance focuses on stopping the deployed tasks, deregistering the task definition, credential rotation, and tightening image and task execution controls (restrict to approved private registries, review IAM principals, and monitor for related ECS activity).
Categories
- Cloud
- Containers
Data Sources
- Cloud Service
- Process
ATT&CK Techniques
- T1496
Created: 2026-07-08