Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Malicious Usage of CloudTrail System Manager

Detect when System Manager successfully executes commands against an instance.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
jamesc-grafanaCreated Thu Jul 11Updated Mon Dec 0838e7f511-3f74-41d4-836e-f57dfa18eeadcloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic3 selectors
detection:
    selection_event:
        eventName: 'SendCommand'
        eventSource: 'ssm.amazonaws.com'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event and 1 of selection_status_*
False Positives

There are legitimate uses of SSM to send commands to EC2 instances

Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
38e7f511-3f74-41d4-836e-f57dfa18eead
Status
test
Level
high
Type
Detection
Created
Thu Jul 11
Modified
Mon Dec 08
Author
jamesc-grafana
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
Raw Tags
attack.privilege-escalationattack.initial-accessattack.t1566attack.t1566.002
View on GitHub