EXPLORE
Sign In
← Back to Explore
T1651

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command) If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environm...

IaaS
9
Detections
1
Sources
2
Threat Actors

BY SOURCE

9elastic

PROCEDURES (8)

Service2 detections

Auto-extracted: 2 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Azure1 detections

Auto-extracted: 1 detections for azure

THREAT ACTORS (2)

APT29VOID MANTICORE

DETECTIONS (9)

AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
AWS SSM `SendCommand` Execution by Rare User
elasticlow
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
AWS SSM Command Document Created by Rare User
elasticlow
AWS SSM Session Manager Child Process Execution
elasticmedium
Azure Compute VM Command Executed
elasticmedium
Azure VM Extension Deployment by User
elasticmedium
First Time AWS CloudFormation Stack Creation
elasticmedium
GCP Pub/Sub Topic Creation
elasticlow