Usage of ssm:SendCommand on multiple instances

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Execution

Description

Simulates an attacker utilizing AWS Systems Manager (SSM) to execute commands through SendCommand on multiple EC2 instances.

Warm-up:

• Create multiple EC2 instances and a VPC (takes a few minutes).

Detonation:

• Runs ssm:SendCommand on several EC2 instances, to execute the command echo "id=$(id), hostname=$(hostname)" on each of them.

References:

• https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#send-command
• https://www.chrisfarris.com/post/aws-ir/
• https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet
• https://securitycafe.ro/2023/01/17/aws-post-explitation-with-ssm-sendcommand/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.execution.ssm-send-command

Detection

Identify, through CloudTrail's SendCommand event, especially when requestParameters.instanceIds contains several instances. Sample event:

{
  "eventSource": "ssm.amazonaws.com",
  "eventName": "SendCommand",
  "requestParameters": {
    "instanceIds": [
      "i-0f364762ca43f9661",
      "i-0a86d1f61db2b9b5d",
      "i-08a69bfbe21c67e70"
    ],
    "documentName": "AWS-RunShellScript",
    "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
    "interactive": false
  }
}

While this technique uses a single call to ssm:SendCommand on several instances, an attacker may use one call per instance to execute commands on. In that case, the SendCommand event will be emitted for each call.