heroui logo

AWS SSM Distributed Command

Panther Rules

View Source
Summary
The AWS SSM Distributed Command rule detects potential malicious activity by identifying when the AWS Systems Manager (SSM) service is used to execute commands across multiple EC2 instances via the SendCommand API. This can indicate a compromised environment where an attacker is attempting to execute commands to further exploit or maintain access to the instances. The rule generates an alert if it encounters CloudTrail events related to the SendCommand action occurring across various EC2 instances, which may suggest an operational anomaly or unauthorized actions. Stakeholders are advised to investigate the source of the command, its content, affected instances, and the executing identity to assess possible breaches and remediate risks effectively. Furthermore, thorough log reviews should be performed to determine if there is evidence of persistence or lateral movement within the network.
Categories
  • Cloud
  • AWS
  • Infrastructure
Data Sources
  • Cloud Service
  • Network Traffic
  • Application Log
  • Process
  • User Account
ATT&CK Techniques
  • T1203
Created: 2025-03-19