Potential Malicious Usage of CloudTrail System Manager

Aug 12, 2024 · attack.privilege-escalation attack.t1566 attack.t1566.002 ·

Detect when System Manager successfully executes commands against an instance.

Sigma rule (View on GitHub)

 1title: Potential Malicious Usage of CloudTrail System Manager
 2id: 38e7f511-3f74-41d4-836e-f57dfa18eead
 3status: experimental
 4description: |
 5        Detect when System Manager successfully executes commands against an instance.
 6references:
 7    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
 8author: jamesc-grafana
 9date: 2024-07-11
10tags:
11    - attack.privilege-escalation
12    - attack.t1566
13    - attack.t1566.002
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventName: 'SendCommand'
20        eventSource: 'ssm.amazonaws.com'
21        responseElements.command.status: 'Success'
22    condition: selection
23falsepositives:
24    - There are legitimate uses of SSM to send commands to EC2 instances
25    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
26level: high

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at main · elastic/detection-rules

Contribute to elastic/detection-rules development by creating an account on GitHub.

Read More

Potential Malicious Usage of CloudTrail System Manager

Sigma rule (View on GitHub)

References

detection-rules/rules/integrations/aws/initial_access_via_system_manager.toml at main · elastic/detection-rules

Related rules