Techniques
Sample rules
Potential Malicious Usage of CloudTrail System Manager
- source: sigma
- technicques:
- t1566
- t1566.002
Description
Detect when System Manager successfully executes commands against an instance.
Detection logic
condition: selection_event and 1 of selection_status_*
selection_event:
eventName: SendCommand
eventSource: ssm.amazonaws.com
selection_status_null:
errorCode: null
selection_status_success:
errorCode: Success