SendSSHPublicKey
Event
Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Persistence
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
- T1021.004 — SSH — Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.