Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0002 ✕ technique: T1651 ✕
Show ATT&CK heatmapAWS SSM send command attempt Informational Cloud 2 variations
An identity executed an AWS SSM Document.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.Variations
AWS SSM SendCommand targeting multiple instances
Low overridden
An identity executed an AWS SSM Document. overridden
Unusual AWS SSM send command
Low overridden
An identity executed an AWS SSM Document. overridden
Cloud compute instance user data script modification Informational Cloud 1 variation
The user data of a cloud compute instance was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Cloud Administration Command (T1651)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute commands within virtual machines.Investigative actions: Verify whether this action is expected. Inspect the user data script for malicious content.Variations
Unusual Cloud compute instance user data script modification
Low overridden
The user data of a cloud compute instance was modified. overridden
Command execution via AWS SSM Medium Cloud
A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit LogAttacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).Suspicious cloud user data modification attempt followed by VM restart Low Cloud
Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Cloud Administration Command (T1651)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.Investigative actions: Review the identity who modified the instance user data. Inspect the user data script for malicious content.