LoFP LoFP / T1651

T1651

TitleTags
automated configuration management or monitoring scripts that use lolbins via ssm for legitimate purposes. consider excluding known automation accounts or specific command patterns.
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate administrative tasks using ssm to run system utilities may trigger this rule. review the command context, user identity, and timing to determine if the activity is authorized.
legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.
legitimate users may create ssm command documents for legitimate purposes. ensure that the document is authorized and the user is known before taking action.
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
verify whether the user identity should be using the triggered api. if known behavior is causing false positives, it can be exempted from the rule. the \"history_window_start\" value can be modified to reflect the expected frequency of known activity within a particular environment.
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suspicious commands from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.