<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>EC2 Instance Connect - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ec2-instance-connect/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 May 2024 14:57:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ec2-instance-connect/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 Instance Connect SSH Public Key Upload</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-ec2-ssh-key-upload/</link><pubDate>Fri, 03 May 2024 14:57:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-ec2-ssh-key-upload/</guid><description>This rule detects the uploading of new SSH public keys to AWS EC2 instances using the EC2 Instance Connect service, which could indicate an adversary attempting to maintain access, escalate privileges, or move laterally within the cloud environment.</description><content:encoded><![CDATA[<p>This alert identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Attackers may upload SSH public keys to maintain access, achieve persistence, or escalate privileges within the AWS environment. The detection focuses on the <code>SendSerialConsoleSSHPublicKey</code> and <code>SendSSHPublicKey</code> API actions. These API calls occur both when manually uploading keys and automatically when a user connects via the EC2 Instance Connect service through the CLI or AWS Management Console. This activity, while sometimes legitimate, represents a potential avenue for unauthorized access and requires scrutiny, especially if coupled with other suspicious actions. The rule is sourced from Elastic and was last updated on April 10, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key.</li>
<li>The attacker attempts to upload an SSH public key to an EC2 instance using the <code>SendSSHPublicKey</code> or <code>SendSerialConsoleSSHPublicKey</code> API calls.</li>
<li>The <code>ec2-instance-connect.amazonaws.com</code> service logs the <code>SendSSHPublicKey</code> or <code>SendSerialConsoleSSHPublicKey</code> API action in CloudTrail if successful.</li>
<li>The attacker leverages the uploaded SSH key to gain SSH access to the targeted EC2 instance.</li>
<li>Once inside the instance, the attacker performs reconnaissance, gathering information about the system and network configuration.</li>
<li>The attacker moves laterally to other EC2 instances or AWS services using the compromised instance as a pivot point.</li>
<li>If <code>SendSerialConsoleSSHPublicKey</code> was used, the attacker attempts privilege escalation via serial console access, potentially gaining root access.</li>
<li>The attacker achieves persistence by maintaining SSH access via the uploaded key, allowing continued access to the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and privilege escalation. This can result in data breaches, service disruption, and significant financial loss. The impact is amplified if the targeted EC2 instance hosts critical applications or data. The number of potential victims depends on the scope of the attacker's access and the sensitivity of the data stored within the compromised AWS environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Review CloudTrail logs for events matching the <code>SendSSHPublicKey</code> or <code>SendSerialConsoleSSHPublicKey</code> API actions to identify potential unauthorized SSH key uploads to EC2 instances (log source: aws.cloudtrail).</li>
<li>Investigate the source IP addresses (<code>source.ip</code>) and user identities (<code>aws.cloudtrail.user_identity.arn</code>) associated with these events to determine the legitimacy of the actions.</li>
<li>Deploy the provided Sigma rule &quot;AWS EC2 Instance Connect SSH Public Key Uploaded&quot; to your SIEM and tune for your environment to detect potentially malicious SSH key uploads (rule: AWS EC2 Instance Connect SSH Public Key Uploaded).</li>
<li>Audit EC2 instance policies and permissions to ensure adherence to the principle of least privilege and restrict unauthorized SSH key uploads.</li>
<li>Monitor for the <code>ec2:EnableSerialConsoleAccess</code> permission usage in conjunction with <code>SendSerialConsoleSSHPublicKey</code> to identify potential privilege escalation attempts (log source: aws.cloudtrail).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ec2</category><category>ssh</category><category>lateral-movement</category><category>privilege-escalation</category><category>persistence</category></item></channel></rss>