T1651 | LoFP

T1651

Title	Tags
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	T1651 azure elastic
legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.	T1651 cross-platform elastic
legitimate users may create ssm command documents for legitimate purposes. ensure that the document is authorized and the user is known before taking action.	T1651 aws elastic