-
Author: Elastic
-
Description: This hunting query identifies when a single
SendCommandAPI call is made by an EC2 instance to execute a command via the AWS Systems Manager (SSM) service within the last 7 days. TheSendCommandAPI call allows users to remotely execute commands on EC2 instances. Default documents likeAWS-RunPowerShellScriptandAWS-RunShellScriptare commonly used for this purpose. Adversaries may abuse this API to execute arbitrary commands on compromised EC2 instances. -
UUID:
1844f2d6-5dc7-11ef-b76c-f661ea17fbce -
Integration: aws.cloudtrail
-
Language:
[ES|QL] -
Source File: SSM Rare SendCommand Code Execution by EC2 Instance
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where event.provider == "ssm.amazonaws.com" and event.action == "SendCommand"
| dissect aws.cloudtrail.request_parameters "%{}documentName=%{document_name},%{}"
| dissect aws.cloudtrail.response_elements "%{}instanceIds=[%{instance_id}],%{}"
| where document_name in ("AWS-RunPowerShellScript","AWS-RunShellScript") and instance_id != "*"
| stats user_command_counts = count(*) by instance_id
| where user_command_counts == 1- With count 1, this rule will only trigger once for each unique value of the
instance_idfield that has not been seen making this API request within the last 7 days. - Use the
instance_idfield to identify the EC2 instance that executed the command. This instance ID can be used to search for all related activities, focusing onevent.actionandaws.cloudtrail.request_parametersfields. - The
parameterfield in theaws.cloudtrail.request_parameterscontains the command executed by the EC2 instance, however is masked in the query to prevent sensitive data exposure by AWS. Reviewing commands executed on the instance can provide context on the adversary's actions.
Elastic License v2