AWS SSM Inventory Reconnaissance by Rare User

  1[metadata]
  2creation_date = "2026/02/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the rare occurrence of a user or role accessing AWS Systems Manager (SSM) inventory APIs or running the 
 11AWS-GatherSoftwareInventory job. These APIs reveal detailed information about managed EC2 instances 
 12including installed software, patch compliance status, and command execution history. Adversaries may use these calls to collect software inventory while blending in with legitimate AWS 
 13operations. This is a New Terms rule that detects when a user accesses these reconnaissance APIs for the first time.
 14"""
 15false_positives = [
 16    """
 17    Legitimate administrators or automation tools may access SSM inventory APIs for asset management or compliance purposes.
 18    Verify whether the user identity should be using these APIs. If known behavior is causing false positives, add exceptions.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS SSM Inventory Reconnaissance by Rare User"
 26note = """## Triage and analysis
 27
 28### Investigating AWS SSM Inventory Reconnaissance by Rare User
 29
 30AWS Systems Manager (SSM) Inventory provides detailed information about managed EC2 instances, including installed 
 31applications, network configurations, OS details, and patch compliance status. Threat actors, including Scattered 
 32Spider (LUCR-3), leverage these APIs to discover targets for lateral movement.
 33
 34This rule detects the first time a specific user (identified by `cloud.account.id` and `user.name`) accesses SSM 
 35inventory reconnaissance APIs or runs inventory collection commands. These APIs are typically used by automation 
 36systems, not interactively by humans.
 37
 38### Possible investigation steps
 39
 40- **Verify User Identity**: Check `aws.cloudtrail.user_identity.arn` or `user.name` to determine who performed the action.
 41    - Is this a service account, automation role, or human user?
 42    - Does this user typically interact with SSM or EC2 infrastructure?
 43- **Review Source Context**: Examine `source.ip` and `source.geo` to determine where the request originated.
 44    - Does the source IP match expected locations for this user?
 45    - Is the source IP from an EC2 instance (potentially compromised) or an external location?
 46- **Analyze User Agent**: Check `user_agent.original` for suspicious values.
 47    - AWS CLI, SDK, or CloudShell usage from unexpected users is suspicious.
 48    - Custom or unusual user agents may indicate attacker tooling.
 49- **Correlate with Other Events**: Look for other reconnaissance or lateral movement activity from the same user.
 50    - Check for `StartSession`, `SendCommand`, or other SSM execution APIs.
 51    - Look for `GetCallerIdentity` calls which often precede reconnaissance.
 52- **Review Timeline**: Investigate activity 30 minutes before and after this event.
 53    - Was there an initial access event (e.g., console login, `AssumeRole`)?
 54    - Did the user proceed to access secrets or attempt lateral movement?
 55
 56### False positive analysis
 57
 58- Automation and Monitoring: Legitimate monitoring tools, asset management systems, or compliance scanners may query SSM inventory regularly. These should use dedicated service accounts.
 59- Administrator Activity: Cloud administrators may occasionally query inventory for troubleshooting. Verify with the user whether this was intentional.
 60- CI/CD Pipelines: Deployment pipelines may check patch compliance before deployments.
 61- SSM Associations: The `AWS-GatherSoftwareInventory` document is normally deployed via IaC tools (Terraform, CloudFormation) or the AWS Console during initial setup. Interactive `CreateAssociation` calls outside of these contexts warrant investigation.
 62
 63### Response and remediation
 64
 65- Immediate Verification: Contact the user to verify whether they performed this action intentionally.
 66- Review Permissions: If unauthorized, review and restrict the user's IAM permissions following least privilege.
 67- Investigate Credential Compromise: If the user did not perform this action, treat their credentials as compromised.
 68    - Rotate access keys and session tokens.
 69    - Review recent activity for data exfiltration or privilege escalation.
 70- Enhanced Monitoring: Add the user or role to enhanced monitoring if suspicious activity is confirmed.
 71
 72### Additional information
 73- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 74- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 75- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 76"""
 77references = [
 78    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
 79    "https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdf",
 80    "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html",
 81]
 82risk_score = 47
 83rule_id = "1004ad5b-6900-4d28-ab5b-472f02e1fdfb"
 84severity = "medium"
 85tags = [
 86    "Domain: Cloud",
 87    "Data Source: AWS",
 88    "Data Source: Amazon Web Services",
 89    "Data Source: AWS SSM",
 90    "Use Case: Threat Detection",
 91    "Tactic: Discovery",
 92    "Resources: Investigation Guide",
 93]
 94timestamp_override = "event.ingested"
 95type = "new_terms"
 96
 97query = '''
 98event.dataset: "aws.cloudtrail"
 99    and event.provider: "ssm.amazonaws.com"
100    and (
101        event.action: ("GetInventory" or "GetInventorySchema" or "ListInventoryEntries" or "DescribeInstancePatches" or "ListCommands")
102        or (event.action: "CreateAssociation"
103            and aws.cloudtrail.request_parameters: *AWS-GatherSoftwareInventory*)
104    )
105    and not aws.cloudtrail.user_identity.type : "AWSService" 
106    and event.outcome: "success"
107'''
108
109[rule.investigation_fields]
110field_names = [
111    "@timestamp",
112    "user.name",
113    "user_agent.original",
114    "source.ip",
115    "aws.cloudtrail.user_identity.arn",
116    "aws.cloudtrail.user_identity.type",
117    "aws.cloudtrail.user_identity.access_key_id",
118    "event.action",
119    "event.outcome",
120    "cloud.account.id",
121    "cloud.region",
122    "aws.cloudtrail.request_parameters"
123]
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1538"
129name = "Cloud Service Dashboard"
130reference = "https://attack.mitre.org/techniques/T1538/"
131
132[[rule.threat.technique]]
133id = "T1580"
134name = "Cloud Infrastructure Discovery"
135reference = "https://attack.mitre.org/techniques/T1580/"
136
137[rule.threat.tactic]
138id = "TA0007"
139name = "Discovery"
140reference = "https://attack.mitre.org/tactics/TA0007/"
141
142[rule.new_terms]
143field = "new_terms_fields"
144value = ["cloud.account.id", "user.name"]
145[[rule.new_terms.history_window_start]]
146field = "history_window_start"
147value = "now-10d"