security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e9ef005c2906b6d5b1de02e51affe733477e7c6
blue-team-tools/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

27 lines
925 B
YAML
Raw Blame History

title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: experimental
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
responseElements.command.status: 'Success'
condition: selection
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
Reference in New Issue View Git Blame Copy Permalink