security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e22f60f44cf1a87d23ba46292e15ff58c8e95545
sigma-rules/hunting/aws/queries/ssm_rare_sendcommand_code_execution.toml
T
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00

27 lines
1.9 KiB
TOML
Raw Blame History

[hunt]
author = "Elastic"
description = """
This hunting query identifies when a single `SendCommand` API call is made by an EC2 instance to execute a command via the AWS Systems Manager (SSM) service within the last 7 days. The `SendCommand` API call allows users to remotely execute commands on EC2 instances. Default documents like `AWS-RunPowerShellScript` and `AWS-RunShellScript` are commonly used for this purpose. Adversaries may abuse this API to execute arbitrary commands on compromised EC2 instances.
"""
integration = ["aws.cloudtrail"]
uuid = "1844f2d6-5dc7-11ef-b76c-f661ea17fbce"
name = "SSM Rare SendCommand Code Execution by EC2 Instance"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"With count 1, this rule will only trigger once for each unique value of the `instance_id` field that has not been seen making this API request within the last 7 days.",
"Use the `instance_id` field to identify the EC2 instance that executed the command. This instance ID can be used to search for all related activities, focusing on `event.action` and `aws.cloudtrail.request_parameters` fields.",
"The `parameter` field in the `aws.cloudtrail.request_parameters` contains the command executed by the EC2 instance, however is masked in the query to prevent sensitive data exposure by AWS. Reviewing commands executed on the instance can provide context on the adversary's actions.",
]
mitre = ["T1651"]
query = ['''
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where event.provider == "ssm.amazonaws.com" and event.action == "SendCommand"
| dissect aws.cloudtrail.request_parameters "%{}documentName=%{document_name},%{}"
| dissect aws.cloudtrail.response_elements "%{}instanceIds=[%{instance_id}],%{}"
| where document_name in ("AWS-RunPowerShellScript","AWS-RunShellScript") and instance_id != "*"
| stats user_command_counts = count(*) by instance_id
| where user_command_counts == 1
'''
]
Reference in New Issue View Git Blame Copy Permalink