AWS EC2 key pair creation attempt with known suspicious naming convention

Documentos > Datadog Security > OOTB Rules > AWS EC2 key pair creation attempt with known suspicious naming convention

Classification:

attack

Tactic:

Technique:

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a key pair is created using a long-term access key that has a suspicious naming convention.

Strategy

This rule lets you monitor CloudTrail logs for CreateKeyPair events created from a long-term access key and shows the identity that initiated the event.

Datadog’s security research team has observed key pair naming conventions that include a common noun followed by a string of alphanumeric characters. The attack pattern can indicate that the long term access key used has been compromised, {{@userIdentity.accessKeyId}}.

Triage and response

Determine if the user, {{@userIdentity.arn}}, should be generating a new key pair.
Investigate the the user behavior and access information:
- Review the user agent, IP address, and other identifying information for evidence of an abnormal access.
- Look at additional events, such as {{@@userIdentity.arn}} and {{@userIdentity.accessKeyId}} attaching a key pair to an EC2 instance during the surrounding timeframe. The related events can be searched in EC2 logs: @eventSource:ec2.amazonaws.com and @evt.name:ImportKeypair.
If the behavior is abnormal for the user and your environment:
- Rotate the credentials.
- Investigate if the same credentials took other unauthorized actions.
- Begin your company’s IR process and investigate.