development or testing environments that simulate external key management scenarios. even in these cases, such activity is typically infrequent and should not add significant noise.

t1486
t1608
t1608.003
aws
sigma

Techniques

t1486
t1608
t1608.003

Sample rules

AWS KMS Imported Key Material Usage

source: sigma
technicques:
- t1486
- t1608
- t1608.003

Description

Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.

Detection logic

condition: selection
selection:
  eventName:
  - ImportKeyMaterial
  - DeleteImportedKeyMaterial
  eventSource: kms.amazonaws.com