CreateKeyPair

CSP: AWS

Tactics:

Persistence Lateral Movement

Techniques:

T1098.004

Tags:

AWS EC2

Event

Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.

Security Context

• Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
• Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.

Log Source

CloudTrail

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence Lateral Movement

Techniques:

• T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.