The detection rule identifies suspicious activities related to AWS EC2 Systems Manager that may indicate exploitation attempts by threat actors. It detects API calls associated with the Systems Manager which can potentially allow attackers to execute arbitrary commands on EC2 instances with root or SYSTEM privileges. Typical methods used by attackers may include associating IAM instance profiles, creating or modifying IAM roles, and attaching policies that would enable elevated privileges. The rule specifically looks for events such as 'AssociateIamInstanceProfile', 'CreateRole', 'AddRoleToInstanceProfile', 'AttachRolePolicy', and 'UpdateInstanceInformation', where the 'roleName' or 'instanceProfileName' equals 'SSM'. It provides a structured output of relevant details including timestamps, user information, and source IP addresses, alongside geographical location of the attack, enhancing threat visibility and response capabilities. This rule is particularly focused on detecting tactics commonly used by threat actors classified under the LUCR-3 group, confirmed by its association with techniques T1525 (Persistence: Implant Internal Image) and T1078.004 (Defense Evasion: Valid Accounts: Cloud Accounts). Overall, it addresses the growing concerns over cloud service vulnerabilities and the potential for unauthorized access and command execution on cloud environments.