{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ec2-instance-connect/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2","EC2 Instance Connect"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","ec2","ssh","lateral-movement","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis alert identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Attackers may upload SSH public keys to maintain access, achieve persistence, or escalate privileges within the AWS environment. The detection focuses on the \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e and \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e API actions. These API calls occur both when manually uploading keys and automatically when a user connects via the EC2 Instance Connect service through the CLI or AWS Management Console. This activity, while sometimes legitimate, represents a potential avenue for unauthorized access and requires scrutiny, especially if coupled with other suspicious actions. The rule is sourced from Elastic and was last updated on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to upload an SSH public key to an EC2 instance using the \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e or \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API calls.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eec2-instance-connect.amazonaws.com\u003c/code\u003e service logs the \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e or \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API action in CloudTrail if successful.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the uploaded SSH key to gain SSH access to the targeted EC2 instance.\u003c/li\u003e\n\u003cli\u003eOnce inside the instance, the attacker performs reconnaissance, gathering information about the system and network configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other EC2 instances or AWS services using the compromised instance as a pivot point.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e was used, the attacker attempts privilege escalation via serial console access, potentially gaining root access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by maintaining SSH access via the uploaded key, allowing continued access to the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and privilege escalation. This can result in data breaches, service disruption, and significant financial loss. The impact is amplified if the targeted EC2 instance hosts critical applications or data. The number of potential victims depends on the scope of the attacker's access and the sensitivity of the data stored within the compromised AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview CloudTrail logs for events matching the \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e or \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API actions to identify potential unauthorized SSH key uploads to EC2 instances (log source: aws.cloudtrail).\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses (\u003ccode\u003esource.ip\u003c/code\u003e) and user identities (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e) associated with these events to determine the legitimacy of the actions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;AWS EC2 Instance Connect SSH Public Key Uploaded\u0026quot; to your SIEM and tune for your environment to detect potentially malicious SSH key uploads (rule: AWS EC2 Instance Connect SSH Public Key Uploaded).\u003c/li\u003e\n\u003cli\u003eAudit EC2 instance policies and permissions to ensure adherence to the principle of least privilege and restrict unauthorized SSH key uploads.\u003c/li\u003e\n\u003cli\u003eMonitor for the \u003ccode\u003eec2:EnableSerialConsoleAccess\u003c/code\u003e permission usage in conjunction with \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e to identify potential privilege escalation attempts (log source: aws.cloudtrail).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:57:00Z","date_published":"2024-05-03T14:57:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-ec2-ssh-key-upload/","summary":"This rule detects the uploading of new SSH public keys to AWS EC2 instances using the EC2 Instance Connect service, which could indicate an adversary attempting to maintain access, escalate privileges, or move laterally within the cloud environment.","title":"AWS EC2 Instance Connect SSH Public Key Upload","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-ec2-ssh-key-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - EC2 Instance Connect","version":"https://jsonfeed.org/version/1.1"}