Usage of ssm:SendCommand on multiple instances
slow idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Execution
Description
Simulates an attacker utilizing AWS Systems Manager (SSM) to execute commands through SendCommand on multiple EC2 instances.
Warm-up:
- Create multiple EC2 instances and a VPC (takes a few minutes).
Detonation:
- Runs
ssm:SendCommand
on several EC2 instances, to execute the commandecho "id=$(id), hostname=$(hostname)"
on each of them.
References:
- https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#send-command
- https://www.chrisfarris.com/post/aws-ir/
- https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet
- https://securitycafe.ro/2023/01/17/aws-post-explitation-with-ssm-sendcommand/
Instructions
Detection
Identify, through CloudTrail's SendCommand
event, especially when requestParameters.instanceIds
contains several instances. Sample event:
{
"eventSource": "ssm.amazonaws.com",
"eventName": "SendCommand",
"requestParameters": {
"instanceIds": [
"i-0f364762ca43f9661",
"i-0a86d1f61db2b9b5d",
"i-08a69bfbe21c67e70"
],
"documentName": "AWS-RunShellScript",
"parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
"interactive": false
}
}
While this technique uses a single call to ssm:SendCommand
on several instances, an attacker may use one call per instance to execute commands on. In that case, the SendCommand
event will be emitted for each call.