LoFP / there are legitimate uses of ssm to send commands to ec2 instances

Techniques

• t1566
• t1566.002

Sample rules

Potential Malicious Usage of CloudTrail System Manager

• source: sigma
• technicques:
  • t1566
  • t1566.002

Description

Detect when System Manager successfully executes commands against an instance.

Detection logic

condition: selection
selection:
  eventName: SendCommand
  eventSource: ssm.amazonaws.com
  responseElements.command.status: Success