AWS API calls indicating command execution via System Manager

ID:aws_ssm_send_command

Data type:AWS CloudTrail

Severity:

Informational

Medium

Description

AlphaSOC detected an unexpected use of the SendCommand action in AWS Systems Manager, indicating potential unauthorized command execution. This action allows remote execution of commands on one or more managed instances (e.g., AWS EC2).

Impact

Unauthorized use of AWS Systems Manager's SendCommand action can lead to the compromise of sensitive data, installation of malware, or use of instances for further attacks.

Severity

Severity	Condition
Informational	Unexpected action, ASN, user agent or region
Low	Two unexpected properties at the same time
Medium	Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to investigate the content and origin of the SendCommand action, including the AWS IAM user or role that initiated it. Verify whether the action was authorized. If unauthorized, revert any changes made and revoke all potentially compromised credentials.

Known False Positives

Legitimate use of SendCommand by authorized administrators for system maintenance or updates

Description​

Impact​

Severity​

Investigation and Remediation​

Known False Positives​

Description

Impact

Severity

Investigation and Remediation

Known False Positives