LoFP
/
T1651
T1651
Title
Tags
legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.
T1651
cross-platform
elastic
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suspicious commands from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1651
aws
elastic