AWS Key Pair Import Activity

Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

Sigma rule (View on GitHub)

 1title: AWS Key Pair Import Activity
 2id: 92f84194-8d9a-4ee0-8699-c30bfac59780
 3status: experimental
 4description: |
 5        Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
 6references:
 7    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
 8author: Ivan Saakov
 9date: 2024-12-19
10tags:
11    - attack.initial-access
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: aws
17    service: cloudtrail
18detection:
19    selection:
20        eventSource: 'ec2.amazonaws.com'
21        eventName: 'ImportKeyPair'
22    condition: selection
23falsepositives:
24    - Legitimate administrative actions by authorized users importing keys for valid purposes.
25    - Automated processes for infrastructure setup may trigger this alert.
26    - Verify the user identity, user agent, and source IP address to ensure they are expected.
27level: medium

References

Related rules

to-top