LoFP / legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them

Techniques

• t1566
• t1566.002

Sample rules

Potential Malicious Usage of CloudTrail System Manager

• source: sigma
• technicques:
  • t1566
  • t1566.002

Description

Detect when System Manager successfully executes commands against an instance.

Detection logic

condition: selection
selection:
  eventName: SendCommand
  eventSource: ssm.amazonaws.com
  responseElements.command.status: Success