SendCommand
Event
Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Execution Lateral Movement
Techniques:
- T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.