Skip to main content

Suspicious AWS API calls indicating SSM command execution on multiple instances

ID:aws_ssm_send_command_multiple_instances_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0002:T1059

Description

AlphaSOC detected AWS Systems Manager SendCommand activity targeting multiple EC2 instances. Systems Manager provides remote command execution for managed instances, allowing administrators to run commands and scripts across their fleet. The SendCommand action accepts multiple targets through the instanceIds or targets parameters. While administrators use this for patch management and configuration tasks, threat actors exploit it for lateral movement, malware deployment, or cryptomining. This detection identifies command execution from unusual locations, user agents, or regions, suggesting compromised credentials.

Impact

Command execution across multiple EC2 instances enables adversaries to compromise systems at scale. Threat actors can deploy malware, install cryptominers, establish backdoors, or exfiltrate data from multiple sources. By targeting multiple instances with a single API call, attackers can execute coordinated operations efficiently. This technique allows for rapid deployment of malicious code across managed infrastructure, potentially affecting business operations and requiring coordinated response efforts.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent, or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review CloudTrail logs to identify the SendCommand action and examine the instanceIds or targets parameters to determine targeted instances. Verify the IAM user or role, source IP, ASN, and user agent. Check the DocumentName and Parameters fields to identify executed commands. If unauthorized, revoke compromised credentials and rotate access keys. Examine targeted instances for unexpected processes, file modifications, or network connections. Review Systems Manager Run Command history. Implement IAM policies restricting Systems Manager permissions using least privilege principles. Enable CloudTrail logging and configure alerts for unusual SendCommand patterns.

Known False Positives

  • Legitimate patch management operations across multiple instances
  • Scheduled automation for system maintenance or monitoring

Further Reading