SendSerialConsoleSSHPublicKey
Event
Pushes an SSH public key to an EC2 instance’s serial console interface, enabling SSH access over the serial port.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
- T1021.004 — SSH — Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.