You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This rule is performing as expected and low noise in telemetry so no changes to query
- added investigation fields
- small edits to description and IG
- added a reference from Unit42 showing real world threat case
- reduced execution window
Copy file name to clipboardExpand all lines: rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
+25-8Lines changed: 25 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -2,20 +2,20 @@
2
2
creation_date = "2024/04/30"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/01/15"
5
+
updated_date = "2025/09/05"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
10
Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This
11
-
action could indicate an adversary attempting to maintain access to the instance. The rule also detects the
12
-
`SendSerialConsoleSSHPublicKey` or `SendSSHPublicKey` API actions, which are logged when manually uploading an SSH key
11
+
action could indicate an adversary attempting to maintain access to the instance. The rule detects the
12
+
SendSerialConsoleSSHPublicKey or SendSSHPublicKey API actions, which are logged when manually uploading an SSH key
13
13
to an EC2 instance or serial connection. It is important to know that this API call happens automatically by the EC2
14
14
Instance Connect service when a user connects to an EC2 instance using the EC2 Instance Connect service via the CLI or
15
15
AWS Management Console.
16
16
"""
17
17
false_positives = ["Administrators may upload SSH public keys to EC2 instances for legitimate purposes."]
18
-
from = "now-9m"
18
+
from = "now-6m"
19
19
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20
20
language = "kuery"
21
21
license = "Elastic License v2"
@@ -24,12 +24,12 @@ note = """## Triage and Analysis
24
24
25
25
### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded
26
26
27
-
This rule detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Adversaries may upload SSH public keys to EC2 instances to maintain access to the instance or for initial access. This action also occurs automatically in the background when establishing a connection to an instance via the same service. The rule also covers cases where the `SendSerialConsoleSSHPublicKey` API action is used to upload an SSH public key to a serial connection, which can be exploited for privilege escalation.
27
+
This rule detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Adversaries may upload SSH public keys to EC2 instances to maintain access to the instance or for initial access. This action also occurs automatically in the background when establishing a connection to an instance via the same service. The rule covers cases where the `SendSerialConsoleSSHPublicKey` API action is used to upload an SSH public key to a serial connection, which can be exploited for privilege escalation.
28
28
29
29
#### Possible Investigation Steps:
30
30
31
31
- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
32
-
- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
32
+
- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. Use the `target.entity.id` field to determine the targeted EC2 instance.
33
33
- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
34
34
- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
35
35
- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
@@ -39,7 +39,7 @@ This rule detects when a new SSH public key is uploaded to an AWS EC2 instance u
39
39
40
40
- **Legitimate Administrative Actions**: Confirm if the SSH public key upload aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
41
41
- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
42
-
- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.
42
+
43
43
44
44
### Response and Remediation:
45
45
@@ -57,9 +57,10 @@ For further guidance on managing EC2 instances and securing AWS environments, re
57
57
- [AWS EC2 Instance Connect API Reference](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html)
0 commit comments