LoFP / legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.

Techniques

• T1651

Sample rules

AWS SSM SendCommand with Run Shell Command Parameters

• source: elastic
• technicques:
  • T1651

Description

Identifies the use of the AWS Systems Manager (SSM) SendCommand API with the either AWS-RunShellScript or AWS-RunPowerShellScript parameters. The SendCommand API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a New Terms rule that only flags when this behavior is observed for the first time on a host in the last 7 days.

Detection logic

event.category: "process" and event.type: "start" and process.name: "aws"
and (
    host.os.type: ("windows" or "macos")
    or (
        host.os.type: "linux"
        and event.action: ("exec" or "exec_event" or "executed" or "process_started")
    )
)
and process.args: (
    "send-command" and "--parameters" and commands=*
    and ("AWS-RunShellScript" or "AWS-RunPowerShellScript")
)