Elastic Security Detection Rules

AWS SSM `SendCommand` Execution by Rare User

Last updated 16 days ago on 2024-11-05
Created 4 years ago on 2020-07-06

About

Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS SSMUse Case: Log AuditingUse Case: Threat DetectionTactic: Execution
Severity
low
Risk Score
21
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Cloud Administration Command (T1651)(opens in a new tab or window)

False Positive Examples
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail"
    and event.provider: "ssm.amazonaws.com"
    and event.action: "SendCommand"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*

Install detection rules in Elastic Security

Detect AWS SSM `SendCommand` Execution by Rare User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).