Skip to content
Threat Feed
low advisory

AWS SSM `SendCommand` Execution by Rare User

This rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user, which could lead to malware installation, persistence, or reverse shell deployment.

This detection rule identifies the execution of commands or scripts on Amazon EC2 instances using AWS Systems Manager (SSM) SendCommand by a user or role that hasn't been seen before. Attackers with compromised AWS credentials can abuse SSM to execute arbitrary commands on EC2 instances, even without direct SSH access. This can lead to privilege escalation, data exfiltration, or deployment of malicious software. The rule focuses on detecting anomalous use of SSM, specifically the initial execution of SendCommand by an identity within a given AWS account, to reduce false positives from routine administrative tasks. The rule uses a 7-day history window to establish a baseline of known users and roles.

Attack Chain

  1. The attacker gains access to AWS credentials with sufficient permissions to use SSM. This could be achieved through phishing, credential stuffing, or exploiting a misconfigured EC2 instance.
  2. The attacker authenticates to the AWS environment using the compromised credentials.
  3. The attacker uses the AWS CLI or SDK to call the SendCommand API action.
  4. The SendCommand action targets a specific EC2 instance ID. The request includes parameters specifying the document to execute (e.g., RunShellScript or RunPowerShellScript).
  5. The specified document executes a shell script or PowerShell script on the target EC2 instance. The attacker could use this to install malware, create new user accounts, or modify system configurations.
  6. The attacker establishes persistence on the compromised EC2 instance, for example, by creating a scheduled task or modifying startup scripts.
  7. The attacker uses the compromised EC2 instance as a pivot point to access other resources within the AWS environment.
  8. The attacker exfiltrates sensitive data from the compromised EC2 instance or other AWS resources.

Impact

A successful attack could lead to full compromise of EC2 instances, data breaches, and disruption of services. Even with "low" severity access, attackers may perform reconnaissance, move laterally, or establish a foothold for later attacks. The lack of familiarity with the user makes it harder to determine whether they should be performing these administrative actions.

Recommendation

  • Deploy the Sigma rule "AWS SSM SendCommand Execution by Rare User" to your SIEM and tune for your environment (rule).
  • Investigate any alerts generated by the rule, focusing on the targeted EC2 instances and the commands executed (rule).
  • Review IAM policies to ensure that users and roles have the least privilege necessary to perform their tasks, specifically regarding the ssm:SendCommand action (rule).
  • Monitor AWS CloudTrail logs for other SSM-related actions, such as CreateDocument and UpdateDocument, which could indicate preparation for malicious activity (content).
  • Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (content).

Detection coverage 2

AWS SSM `SendCommand` Execution by Rare User

low

Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by a rare user or role.

sigma tactics: execution techniques: T1651 sources: cloudtrail, aws

AWS SSM RunShellScript Execution

medium

Detects the execution of RunShellScript via SSM SendCommand

sigma tactics: execution techniques: T1651 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →