Skip to content

Commit 8d539fc

Browse files
terrancedejesusterrancedejesus
committed
cleaned up comments
1 parent 8c1cd8a commit 8d539fc

File tree

1 file changed

+4
-6
lines changed

1 file changed

+4
-6
lines changed

rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ updated_date = "2025/11/23"
88
author = ["Elastic"]
99
description = """
1010
Identifies the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on EC2 instances via AWS Systems Manager
11-
(SSM) "SendCommand" API. This detection correlates AWS CloudTrail "SendCommand" events with endpoint process execution
11+
(SSM) `SendCommand` API. This detection correlates AWS CloudTrail `SendCommand` events with endpoint process execution
1212
by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals
1313
the actual commands executed on EC2 instances. Adversaries may abuse SSM to execute malicious commands remotely without
1414
requiring SSH or RDP access, using legitimate system utilities for data exfiltration, establishing reverse shells, or
@@ -109,7 +109,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
109109
AND host.os.type == "linux"
110110
AND (
111111
// SSM shell (_script.sh) runner
112-
process.command_line LIKE "*/document/orchestration/*/awsrunShellScript/*/_script.sh"
112+
process.command_line LIKE "*/document/orchestration/%/awsrunShellScript/*/_script.sh"
113113
// LOLBins / GTFOBins
114114
OR process.executable IN (
115115
"/usr/bin/base64",
@@ -132,12 +132,10 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
132132
)
133133
134134
// Endpoint leg: extract SSM command ID from parent command line
135-
// .../document/orchestration/<ssm_command_id>/AWS-RunShellScript/...
136135
| DISSECT process.parent.command_line
137136
"%{}/document/orchestration/%{Esql.process_parent_command_line_ssm_command_id}/%{}"
138137
139138
// CloudTrail leg: extract SSM command ID from response_elements
140-
// ...commandId=<ssm_command_id>,...
141139
| DISSECT aws.cloudtrail.response_elements
142140
"%{}commandId=%{Esql.aws_cloudtrail_response_elements_ssm_command_id},%{}"
143141
@@ -174,7 +172,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
174172
Esql.aws_cloudtrail_first_event_ts = MIN(CASE(Esql.is_cloud_event, @timestamp, null)),
175173
Esql.endpoint_events_process_first_lolbin_ts = MIN(CASE(Esql.is_lolbin_process, @timestamp, null)),
176174
177-
// AWS / CloudTrail identity & request context (PII → Esql_priv.)
175+
// AWS / CloudTrail identity & request context
178176
Esql_priv.aws_cloudtrail_user_identity_arn_values =
179177
VALUES(CASE(Esql.is_cloud_event, aws.cloudtrail.user_identity.arn, null)),
180178
Esql_priv.aws_cloudtrail_user_identity_access_key_id_values =
@@ -221,7 +219,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
221219
Esql.aws_cloudtrail_first_event_ts
222220
) <= 5
223221
| SORT Esql.aws_cloudtrail_first_event_ts ASC
224-
| KEEP Esql.*, Esql_priv.*
222+
| KEEP Esql.*, Esql_priv.*, @timestamp
225223
'''
226224

227225

0 commit comments

Comments
 (0)