Potential Malicious Usage of CloudTrail System Manager

Jun 4, 2025 · attack.privilege-escalation attack.initial-access attack.t1566 attack.t1566.002 ·

Detect when System Manager successfully executes commands against an instance.

Sigma rule (View on GitHub)

 1title: Potential Malicious Usage of CloudTrail System Manager
 2id: 38e7f511-3f74-41d4-836e-f57dfa18eead
 3status: test
 4description: |
 5        Detect when System Manager successfully executes commands against an instance.
 6references:
 7    - https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
 8author: jamesc-grafana
 9date: 2024-07-11
10tags:
11    - attack.privilege-escalation
12    - attack.initial-access
13    - attack.t1566
14    - attack.t1566.002
15logsource:
16    product: aws
17    service: cloudtrail
18detection:
19    selection:
20        eventName: 'SendCommand'
21        eventSource: 'ssm.amazonaws.com'
22        responseElements.command.status: 'Success'
23    condition: selection
24falsepositives:
25    - There are legitimate uses of SSM to send commands to EC2 instances
26    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
27level: high

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at v8.6.0 · elastic/detection-rules

Contribute to elastic/detection-rules development by creating an account on GitHub.

Read More

Potential Malicious Usage of CloudTrail System Manager

Sigma rule (View on GitHub)

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at v8.6.0 · elastic/detection-rules

Related rules