Elastic Security Detection Rules

AWS SSM `SendCommand` with Run Shell Command Parameters

Last updated 17 days ago on 2024-11-07
Created 2 years ago on 2022-09-03

About

Identifies the use of the AWS Systems Manager (SSM) `SendCommand` API with the either `AWS-RunShellScript` or `AWS-RunPowerShellScript` parameters. The `SendCommand` API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 7 days.
Tags
Domain: EndpointDomain: CloudOS: LinuxOS: macOSOS: WindowsUse Case: Threat DetectionTactic: ExecutionData Source: Elastic DefendData Source: Elastic EndgameData Source: Auditd Manager
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Cloud Administration Command (T1651)(opens in a new tab or window)

False Positive Examples
Legitimate use of the `SendCommand` API call to execute commands on EC2 instances using the SSM service may be done by system administrators or DevOps engineers for legitimate purposes.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*endgame-*auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

endpoint(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

Query
event.category: "process" and event.type: "start" and process.name: "aws"
and (
    host.os.type: ("windows" or "macos")
    or (
        host.os.type: "linux"
        and event.action: ("exec" or "exec_event" or "executed" or "process_started")
    )
)
and process.args: (
    "send-command" and "--parameters" and commands=*
    and ("AWS-RunShellScript" or "AWS-RunPowerShellScript")
)

Install detection rules in Elastic Security

Detect AWS SSM `SendCommand` with Run Shell Command Parameters in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).