AWS SSM Command Document Created by Rare User
Adversaries may leverage AWS Systems Manager (SSM) command document creation by rare or unusual users to execute arbitrary commands on managed instances, potentially leading to unauthorized access, command and control, or data exfiltration.
What's new
- l1 new product Jul 15, 14:11 via elastic
This threat brief details how adversaries exploit compromised AWS identities to create malicious AWS Systems Manager (SSM) Command documents, a technique often observed through the CreateDocument API call made by users or roles that do not typically perform this action. Elastic's detection rule highlights this activity as a high-severity threat, indicating potential unauthorized access, command and control, and data exfiltration within an AWS environment. While the creation of SSM command documents can be legitimate for administrative purposes, detection of this action by an anomalous user or role signals a critical security event. Defenders should pay close attention to CreateDocument events where the documentType is "Command" and correlate these with the calling identity's historical activity and the content of the created document.
Attack Chain
- An adversary gains initial access to an AWS account, potentially through compromised user credentials, an insecure API key, or an exploited web application.
- The adversary identifies a compromised AWS Identity and Access Management (IAM) user or role that possesses the necessary permissions to create AWS Systems Manager (SSM) documents.
- The adversary invokes the
CreateDocumentAPI call, using the compromised identity, to generate a new SSM document. This document is specifically crafted withdocumentType: Commandand embeds malicious commands for execution. - The malicious SSM Command document is designed to achieve adversary objectives, such as executing reconnaissance commands, establishing persistence, escalating privileges, or initiating data exfiltration.
- Subsequently, the adversary utilizes the
SendCommandAPI call to deploy and execute this newly created malicious SSM Command document on targeted AWS managed instances within the scope of the compromised identity's permissions. - The commands embedded within the SSM document are executed on the targeted instances, allowing the adversary to achieve objectives such as unauthorized access, maintaining command and control, or exfiltrating sensitive data.
Impact
Successful exploitation allows adversaries to execute arbitrary commands with the privileges of the compromised AWS identity on managed instances. This can lead to a range of severe consequences, including full compromise of affected instances, persistent unauthorized access, establishment of covert command and control channels, and large-scale data exfiltration from an organization's AWS environment. The impact extends to operational disruption, potential intellectual property theft, and regulatory non-compliance. Without timely detection, attackers can expand their footprint across the cloud infrastructure, affecting numerous systems and data stores.
Recommendation
- Deploy the Sigma rule "Detect AWS SSM Command Document Created" provided in this brief to your SIEM and tune for your environment.
- Ensure AWS CloudTrail logging is enabled and configured to capture
CreateDocumentAPI calls for thessm.amazonaws.comservice, specifically focusing onevent.action: "CreateDocument"andevent.outcome: "success". - Restrict permissions for
ssm:CreateDocumentandssm:SendCommandto only trusted IAM users and roles that genuinely require this capability for administrative tasks. - Implement an alert for high-risk
CreateDocumentevents by reviewing theaws.cloudtrail.user_identity.arnandaws.cloudtrail.request_parameters.namefields to identify unauthorized document creation. - For any detected suspicious activity, immediately review the document's content (
aws.cloudtrail.request_parameters.content) if available in logs, or via the AWS Management Console, and delete unauthorized documents.
Detection coverage 1
Detect AWS SSM Command Document Creation
highDetects when an AWS Systems Manager (SSM) command document is created. This rule should be tuned to identify creation by users or roles that do not typically perform this action, as adversaries may use this to execute commands on managed instances.
Detection queries are available on the platform. Get full rules →