AWS SSM Command Document Created by Rare User
Identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/11/01"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/06/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more.
11"""
12false_positives = [
13 """
14 Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action.
15 """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "AWS SSM Command Document Created by Rare User"
22note = """## Triage and analysis
23
24### Investigating AWS SSM Command Document Created by Rare User
25
26This rule identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Creating SSM command documents can be a legitimate action but may also indicate malicious intent if done by an unusual or compromised user. Adversaries may leverage SSM documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, or data exfiltration.
27
28#### Possible Investigation Steps
29
30- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify who created the SSM document. Verify if this user typically creates such documents and has the appropriate permissions. It may be unexpected for certain types of users, like assumed roles or federated users, to perform this action.
31- **Analyze the Document Details**:
32 - **Document Name**: Check the `aws.cloudtrail.request_parameters.name` field for the document name to understand its intended purpose.
33 - **Document Content**: If possible, review `aws.cloudtrail.request_parameters.content` for any sensitive or unexpected instructions (e.g., actions for data exfiltration or privilege escalation). If not available via logs, consider reviewing the document in the AWS Management Console.
34- **Contextualize the Activity with Related Events**: Look for other CloudTrail events involving the same user ARN or IP address (`source.ip`). Examine actions performed in other AWS services, such as IAM, EC2, or S3, to identify if additional suspicious behavior exists. The `SendCommand` API call may indicate attempts to execute the SSM document on managed instances.
35- **Check Document Status and Metadata**:
36 - **Document Status**: Confirm the document creation status in `aws.cloudtrail.response_elements.documentDescription.status`. A status of `Creating` may indicate that the document is in progress.
37 - **Execution Permissions**: Review if the document specifies `platformTypes` and `documentVersion` in `aws.cloudtrail.response_elements.documentDescription` to understand which environments may be impacted and if multiple versions exist.
38
39### False Positive Analysis
40
41- **Authorized Administrative Actions**: Determine if this document creation aligns with scheduled administrative tasks or actions by authorized personnel.
42- **Historical User Actions**: Compare this action against historical activities for the user to determine if they have a history of creating similar documents, which may indicate legitimate usage.
43
44### Response and Remediation
45
46- **Immediate Document Review and Deletion**: If the document creation is deemed unauthorized, delete the document immediately and check for other similar documents created recently.
47- **Enhance Monitoring and Alerts**: Configure additional monitoring for SSM document creation events, especially when associated with untrusted or rare users.
48- **Policy Update**: Consider restricting SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation.
49- **Incident Response**: If the document is confirmed as part of malicious activity, treat this as a security incident. Follow incident response protocols, including containment, investigation, and remediation.
50
51### Additional Information
52
53For further guidance on managing and securing AWS Systems Manager in your environment, refer to the [AWS SSM documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) and AWS security best practices.
54"""
55references = [
56 "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateDocument.html",
57 "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html",
58]
59risk_score = 21
60rule_id = "50a2bdea-9876-11ef-89db-f661ea17fbcd"
61severity = "low"
62tags = [
63 "Domain: Cloud",
64 "Data Source: AWS",
65 "Data Source: Amazon Web Services",
66 "Data Source: AWS SSM",
67 "Data Source: AWS Systems Manager",
68 "Resources: Investigation Guide",
69 "Use Case: Threat Detection",
70 "Tactic: Execution",
71]
72timestamp_override = "event.ingested"
73type = "new_terms"
74
75query = '''
76event.dataset: "aws.cloudtrail"
77 and event.provider: "ssm.amazonaws.com"
78 and event.action: "CreateDocument"
79 and event.outcome: "success"
80 and aws.cloudtrail.flattened.response_elements.documentDescription.documentType: "Command"
81'''
82
83[rule.investigation_fields]
84field_names = [
85 "@timestamp",
86 "user.name",
87 "user_agent.original",
88 "source.ip",
89 "aws.cloudtrail.user_identity.arn",
90 "aws.cloudtrail.user_identity.type",
91 "aws.cloudtrail.user_identity.access_key_id",
92 "event.action",
93 "event.outcome",
94 "cloud.account.id",
95 "cloud.region",
96 "aws.cloudtrail.request_parameters",
97 "aws.cloudtrail.response_elements"
98]
99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1651"
104name = "Cloud Administration Command"
105reference = "https://attack.mitre.org/techniques/T1651/"
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"
111
112[rule.new_terms]
113field = "new_terms_fields"
114value = ["cloud.account.id", "user.name"]
115[[rule.new_terms.history_window_start]]
116field = "history_window_start"
117value = "now-10d"
Triage and analysis
Investigating AWS SSM Command Document Created by Rare User
This rule identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Creating SSM command documents can be a legitimate action but may also indicate malicious intent if done by an unusual or compromised user. Adversaries may leverage SSM documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, or data exfiltration.
Possible Investigation Steps
- Identify the Actor: Review the
aws.cloudtrail.user_identity.arn
field to identify who created the SSM document. Verify if this user typically creates such documents and has the appropriate permissions. It may be unexpected for certain types of users, like assumed roles or federated users, to perform this action. - Analyze the Document Details:
- Document Name: Check the
aws.cloudtrail.request_parameters.name
field for the document name to understand its intended purpose. - Document Content: If possible, review
aws.cloudtrail.request_parameters.content
for any sensitive or unexpected instructions (e.g., actions for data exfiltration or privilege escalation). If not available via logs, consider reviewing the document in the AWS Management Console.
- Document Name: Check the
- Contextualize the Activity with Related Events: Look for other CloudTrail events involving the same user ARN or IP address (
source.ip
). Examine actions performed in other AWS services, such as IAM, EC2, or S3, to identify if additional suspicious behavior exists. TheSendCommand
API call may indicate attempts to execute the SSM document on managed instances. - Check Document Status and Metadata:
- Document Status: Confirm the document creation status in
aws.cloudtrail.response_elements.documentDescription.status
. A status ofCreating
may indicate that the document is in progress. - Execution Permissions: Review if the document specifies
platformTypes
anddocumentVersion
inaws.cloudtrail.response_elements.documentDescription
to understand which environments may be impacted and if multiple versions exist.
- Document Status: Confirm the document creation status in
False Positive Analysis
- Authorized Administrative Actions: Determine if this document creation aligns with scheduled administrative tasks or actions by authorized personnel.
- Historical User Actions: Compare this action against historical activities for the user to determine if they have a history of creating similar documents, which may indicate legitimate usage.
Response and Remediation
- Immediate Document Review and Deletion: If the document creation is deemed unauthorized, delete the document immediately and check for other similar documents created recently.
- Enhance Monitoring and Alerts: Configure additional monitoring for SSM document creation events, especially when associated with untrusted or rare users.
- Policy Update: Consider restricting SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation.
- Incident Response: If the document is confirmed as part of malicious activity, treat this as a security incident. Follow incident response protocols, including containment, investigation, and remediation.
Additional Information
For further guidance on managing and securing AWS Systems Manager in your environment, refer to the AWS SSM documentation and AWS security best practices.
References
Related rules
- AWS Lambda Layer Added to Existing Function
- SSM Session Started to EC2 Instance
- AWS DynamoDB Scan by Unusual User
- AWS SNS Email Subscription by Rare User
- AWS SNS Topic Created by Rare User