LoFP / engineers creating key pairs from home isp, corporate vpn, or colocation as names will match until baselined. geoip databases vary by vendor; organization labels may differ slightly from the excluded strings (for example alternate amazon or google legal names). tune exclusions on `source.as.organization.name` or principal arn after validation.

Techniques

• T1021
• T1098
• T1552

Sample rules

AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization

• source: elastic
• technicques:
  • T1021
  • T1098
  • T1552

Description

Identifies the first time a given IAM principal successfully creates an EC2 key pair when the request is sourced from a network whose autonomous system organization is not attributed to common cloud or hyperscaler providers in your GeoIP data. Adversaries may call CreateKeyPair to stage SSH access material before launching or accessing instances. A new terms baseline on user_identity.arn suppresses repeated noise from the same principal while still surfacing the initial suspicious creation from an unusual egress label.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: "CreateKeyPair"
    and event.outcome: "success"
    and source.as.organization.name: (
        * and not (
            "Amazon.com, Inc." or AMAZ* or "Google LLC" or "Microsoft Corporation"
        )
    )