AWS SSM `SendCommand` Execution by Rare User
This rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user, which could lead to malware installation, persistence, or reverse shell deployment.
This detection rule identifies the execution of commands or scripts on Amazon EC2 instances using AWS Systems Manager (SSM) SendCommand by a user or role that hasn't been seen before. Attackers with compromised AWS credentials can abuse SSM to execute arbitrary commands on EC2 instances, even without direct SSH access. This can lead to privilege escalation, data exfiltration, or deployment of malicious software. The rule focuses on detecting anomalous use of SSM, specifically the initial execution of SendCommand by an identity within a given AWS account, to reduce false positives from routine administrative tasks. The rule uses a 7-day history window to establish a baseline of known users and roles.
Attack Chain
- The attacker gains access to AWS credentials with sufficient permissions to use SSM. This could be achieved through phishing, credential stuffing, or exploiting a misconfigured EC2 instance.
- The attacker authenticates to the AWS environment using the compromised credentials.
- The attacker uses the AWS CLI or SDK to call the
SendCommandAPI action. - The
SendCommandaction targets a specific EC2 instance ID. The request includes parameters specifying the document to execute (e.g.,RunShellScriptorRunPowerShellScript). - The specified document executes a shell script or PowerShell script on the target EC2 instance. The attacker could use this to install malware, create new user accounts, or modify system configurations.
- The attacker establishes persistence on the compromised EC2 instance, for example, by creating a scheduled task or modifying startup scripts.
- The attacker uses the compromised EC2 instance as a pivot point to access other resources within the AWS environment.
- The attacker exfiltrates sensitive data from the compromised EC2 instance or other AWS resources.
Impact
A successful attack could lead to full compromise of EC2 instances, data breaches, and disruption of services. Even with "low" severity access, attackers may perform reconnaissance, move laterally, or establish a foothold for later attacks. The lack of familiarity with the user makes it harder to determine whether they should be performing these administrative actions.
Recommendation
- Deploy the Sigma rule "AWS SSM
SendCommandExecution by Rare User" to your SIEM and tune for your environment (rule). - Investigate any alerts generated by the rule, focusing on the targeted EC2 instances and the commands executed (rule).
- Review IAM policies to ensure that users and roles have the least privilege necessary to perform their tasks, specifically regarding the
ssm:SendCommandaction (rule). - Monitor AWS CloudTrail logs for other SSM-related actions, such as
CreateDocumentandUpdateDocument, which could indicate preparation for malicious activity (content). - Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (content).
Detection coverage 2
AWS SSM `SendCommand` Execution by Rare User
lowDetects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by a rare user or role.
AWS SSM RunShellScript Execution
mediumDetects the execution of RunShellScript via SSM SendCommand
Detection queries are available on the platform. Get full rules →