legitimate use cases for imported key material are rare, but may include, organizations with hybrid cloud architectures that import external key material for compliance requirements.

t1486
t1608
t1608.003
aws
sigma

Techniques

t1486
t1608
t1608.003

Sample rules

AWS KMS Imported Key Material Usage

source: sigma
technicques:
- t1486
- t1608
- t1608.003

Description

Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.

Detection logic

condition: selection
selection:
  eventName:
  - ImportKeyMaterial
  - DeleteImportedKeyMaterial
  eventSource: kms.amazonaws.com