Tag

Lateral_movement

2 briefs RSS

Suspicious AWS EC2 Key Pair Creation from Non-Cloud AS

An AWS EC2 CreateKeyPair event triggered by a new principal originating from a network autonomous system (AS) organization not associated with major cloud providers, indicating potential unauthorized access or persistence activity.

Amazon EC2 aws ec2 keypair persistence credential_access lateral_movement

2r 3t Jan 3, 2024

high advisory

Suspicious PowerShell Reconnaissance via WMI Queries

2 rules 2 TTPs

Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.

Splunk Enterprise +2 powershell wmi reconnaissance lateral_movement windows

2r 2t Jan 2, 2024