Data Source: AWS SSM | Detection.FYI

AWS SSM SendCommand Execution by Rare User

Nov 6, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SSM Use Case: Log Auditing Use Case: Threat Detection Tactic: Execution Resources: Investigation Guide ·
Share on:

Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as RunShellScript, RunPowerShellScript or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a New Terms rule that looks for the first instance of this behavior by the aws.cloudtrail.user_identity.arn field in the last 7 days.

Read More
SSM Session Started to EC2 Instance

Jul 24, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SSM Use Case: Threat Detection Tactic: Lateral Movement ·
Share on:

Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource.

Read More