highstableOCICloudT1098.001T1556

OCI API Key Created for Existing User — Credential Persistence

Detects creation of new API keys for existing IAM users, a common persistence mechanism after initial compromise.

Updated Dec 10, 2024 · Detection Engineering Team

ociapi-keypersistencecredential-accesscloud

Problem Statement

After gaining initial access to an OCI account, attackers create new API keys to maintain persistence even if the compromised session or password is rotated.

Sample Logs

{"eventTime":"2024-12-10T14:22:10Z","eventName":"CreateApiKey","requestAction":"POST","principalId":"ocid1.user.oc1..aaaattacker111","principalName":"attacker@external.com","requestParameters":{"userId":"ocid1.user.oc1..aaaavictim999","fingerprint":"aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99:00"},"compartmentId":"ocid1.tenancy.oc1..roottenancy","sourceIPAddress":"185.220.101.55","responseStatus":"200"}

Required Fields

eventName

principalId

principalName

requestParameters.userId

requestParameters.fingerprint

sourceIPAddress

responseStatus

False Positives

·Authorized administrators provisioning API keys for service accounts
·Onboarding automation creating keys for new users
·Developers creating their own API keys for local development

Tuning Guidance

Focus on cases where principalId differs from requestParameters.userId (one user creating a key for another). Alert on external source IPs. Correlate with recent login anomalies for the same principal.