Elastic Security Detection Rules

AWS EC2 Instance Connect SSH Public Key Uploaded

Last updated 5 months ago on 2025-01-15
Created a year ago on 2024-04-30

About

Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This action could indicate an adversary attempting to maintain access to the instance. The rule also detects the `SendSerialConsoleSSHPublicKey` or `SendSSHPublicKey` API actions, which are logged when manually uploading an SSH key to an EC2 instance or serial connection. It is important to know that this API call happens automatically by the EC2 Instance Connect service when a user connects to an EC2 instance using the EC2 Instance Connect service via the CLI or AWS Management Console.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Identity and Access AuditTactic: Privilege EscalationTactic: Lateral MovementLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

Remote Services (T1021)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples
Administrators may upload SSH public keys to EC2 instances for legitimate purposes.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: aws.cloudtrail
    and event.provider: ec2-instance-connect.amazonaws.com
    and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey)
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS EC2 Instance Connect SSH Public Key Uploaded in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).