Techniques
Sample rules
AWS EC2 Instance Connect SSH Public Key Uploaded
- source: elastic
- technicques:
- T1098
Description
Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This
action could indicate an adversary attempting to maintain access to the instance. The rule also detects the
SendSerialConsoleSSHPublicKey API action, which could be used for privilege escalation if the serial console is
enabled. Monitoring these activities helps ensure unauthorized access attempts are detected and mitigated promptly.
Detection logic
event.dataset: aws.cloudtrail
and event.provider: ec2-instance-connect.amazonaws.com
and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey)
and event.outcome: success