This detection rule targets the execution of commands or scripts on EC2 instances through AWS Systems Manager (SSM) by uncommon or new users. While these commands can serve legitimate purposes in managing AWS resources, they can also pose risks if exploited by attackers aiming to maintain access, deploy malware, or utilize reverse shells. The rule leverages the AWS CloudTrail logs to identify these activities within the last seven days, giving precedence to entries with a notable user identity involved. Key investigation points include validating the identity and access rights of the user executing the SSM commands and assessing the target EC2 instances to determine if their interactions with SSM are expected or indicative of malicious behavior. Additionally, monitoring for unusual command parameters and correlating with other activity logs can provide crucial insights into potential threats. The rule is particularly useful for organizations looking to improve their security posture against unauthorized access and potential data breaches.