search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 493 forks source link

[New Rule] AWS EC2 New SSH Key added to EC2 Instance #966

Open aarju opened 3 years ago

aarju commented 3 years ago

Description

Detect when the AWS API was used to add a new SSH to an EC2 instance. This could be an indicator of an attacker or insider threat that has IAM access in AWS and is using that access to directly access EC2 resources.

Required Info

Target indexes

filebeat-*

Additional requirements

AWS Filebeat Module

Target Operating Systems

Platforms

aws

Tested ECS Version

x.x.x

Optional Info

Admin activity in AWS will be a common false positive, although many orgs use other systems to manage keys which would make this event a rare occurrence in those networks.

Query

(event.action : "ImportKeyPair" or event.action:"CreateKeyPair") and event.module:aws

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html

Example Data

bm11100 commented 3 years ago

Hey @aarju! Thanks for this. We did have this one on our list as far as an ML job is concerned. The idea is to look for ImportKeyPair/CreateKeyPair from a Rare IP, as the API calls themselves can generate a decent amount of noise.

randomuserid commented 3 years ago

Added this to the Cloud module scope.

botelastic[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.