Potential Malicious Usage of CloudTrail System Manager

Dec 9, 2025 · attack.privilege-escalation attack.initial-access attack.t1566 attack.t1566.002 ·

Detect when System Manager successfully executes commands against an instance.

Sigma rule (View on GitHub)

 1title: Potential Malicious Usage of CloudTrail System Manager
 2id: 38e7f511-3f74-41d4-836e-f57dfa18eead
 3status: test
 4description: |
 5        Detect when System Manager successfully executes commands against an instance.
 6references:
 7    - https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
 8author: jamesc-grafana
 9date: 2024-07-11
10modified: 2025-12-08
11tags:
12    - attack.privilege-escalation
13    - attack.initial-access
14    - attack.t1566
15    - attack.t1566.002
16logsource:
17    product: aws
18    service: cloudtrail
19detection:
20    selection_event:
21        eventName: 'SendCommand'
22        eventSource: 'ssm.amazonaws.com'
23    selection_status_success:
24        errorCode: 'Success'
25    selection_status_null:
26        errorCode: null
27    condition: selection_event and 1 of selection_status_*
28falsepositives:
29    - There are legitimate uses of SSM to send commands to EC2 instances
30    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
31level: high

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at v8.6.0 · elastic/detection-rules

Contribute to elastic/detection-rules development by creating an account on GitHub.

Read More

Potential Malicious Usage of CloudTrail System Manager

Sigma rule (View on GitHub)

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at v8.6.0 · elastic/detection-rules

Related rules