sigmahighHunting

Potential Malicious Usage of CloudTrail System Manager

Detect when System Manager successfully executes commands against an instance.

MITRE ATT&CK

privilege-escalationinitial-access

Detection Query

selection_event:
  eventName: SendCommand
  eventSource: ssm.amazonaws.com
selection_status_success:
  errorCode: Success
selection_status_null:
  errorCode: null
condition: selection_event and 1 of selection_status_*

Author

jamesc-grafana

Created

2024-07-11

Data Sources

awscloudtrail

Platforms

aws

References

https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml

Tags

attack.privilege-escalationattack.initial-accessattack.t1566attack.t1566.002

Raw Content

title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
    Detect when System Manager successfully executes commands against an instance.
references:
    - https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.t1566
    - attack.t1566.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event:
        eventName: 'SendCommand'
        eventSource: 'ssm.amazonaws.com'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event and 1 of selection_status_*
falsepositives:
    - There are legitimate uses of SSM to send commands to EC2 instances
    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high