LoFP / legitimate administrators or automation tools may access ssm inventory apis for asset management or compliance purposes. verify whether the user identity should be using these apis. if known behavior is causing false positives, add exceptions.

Techniques

• T1538
• T1580

Sample rules

AWS SSM Inventory Reconnaissance by Rare User

• source: elastic
• technicques:
  • T1538
  • T1580

Description

Detects the rare occurrence of a user or role accessing AWS Systems Manager (SSM) inventory APIs or running the AWS-GatherSoftwareInventory job. These APIs reveal detailed information about managed EC2 instances including installed software, patch compliance status, and command execution history. Adversaries may use these calls to collect software inventory while blending in with legitimate AWS operations. This is a New Terms rule that detects when a user accesses these reconnaissance APIs for the first time.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ssm.amazonaws.com"
    and (
        event.action: ("GetInventory" or "GetInventorySchema" or "ListInventoryEntries" or "DescribeInstancePatches" or "ListCommands")
        or (event.action: "CreateAssociation"
            and aws.cloudtrail.request_parameters: *AWS-GatherSoftwareInventory*)
    )
    and not aws.cloudtrail.user_identity.type : "AWSService" 
    and event.outcome: "success"