AWS EC2 received a suspicious command
Description
AlphaSOC detected suspicious AWS Systems Manager (SSM) command execution or
cross-account Simple Storage Service (S3) write operations from Elastic Compute
Cloud (EC2) instances. This includes SSM SendCommand operations with S3 output
delivery and PutObject events writing to external AWS account buckets. These
patterns indicate potential unauthorized command execution or data exfiltration
attempts.
Impact
Successful exploitation allows adversaries to execute arbitrary commands on multiple EC2 instances through SSM and exfiltrate sensitive data to external S3 buckets under their control. This capability enables adversaries to achieve lateral movement within the AWS environment, establish persistence mechanisms, and conduct large-scale data theft while potentially bypassing network-based security monitoring.
Severity
| Severity | Condition |
|---|---|
Low | AWS EC2 received a suspicious command |
Investigation and Remediation
Review CloudTrail logs to identify the source EC2 instances, specific SSM commands executed, and target S3 bucket destinations. Analyze the command content and data written to external buckets for suspicious activity. If compromise is confirmed, revoke affected IAM credentials and remove SSM access permissions. Disable unauthorized SSM associations and remove cross-account bucket permissions. Isolate and restore affected instances from known good backups or snapshots.