Data Source: AWS Systems Manager | Detection.FYI

AWS SSM Command Document Created by Rare User

Nov 9, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Data Source: AWS Systems Manager Resources: Investigation Guide Use Case: Threat Detection Tactic: Execution ·
Share on:

Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more.

Read More
AWS Systems Manager SecureString Parameter Request with Decryption Flag

Jul 24, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Systems Manager Tactic: Credential Access Resources: Investigation Guide ·
Share on:

Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a NewTerms rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.

Read More