kqlElastic-2.0from elastic/detection-rules
AWS SSM `SendCommand` with Run Shell Command Parameters
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
event.category: "process" and event.type: "start" and process.name: "aws"
and (
host.os.type: ("windows" or "macos")
or (
host.os.type: "linux"
and event.action: ("exec" or "exec_event" or "executed" or "process_started")
)
)
and process.args: (
"send-command" and "--parameters" and commands=*
and ("AWS-RunShellScript" or "AWS-RunPowerShellScript")
)