1. Home
  2. Techniques
  3. Cloud Administration Command

Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environments virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship [MITRE] to execute commands in connected virtual machines.

AWS Specific Content


A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform the actions in the AWS CloudTrail Event Name(s) section.

Threat actors may take advantage of cloud management and administration services to execute commands within the environment. Resources such as AWS Systems Manager, allow users to remotely run scripts and perform actions on resources within an AWS account and can be used by threat actors to perform unauthorized actions. For example, with access to an AWS identity that has the appropriate permissions, threat actors may abuse cloud management services to execute commands within EC2 instances.

Detection

AWS Specific Content


When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event History page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as ssm:SendCommand or ssm:StartSession.

A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.

It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.


Mitigation

AWS Specific Content


You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).

You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.


References

  1. mitre-attack
  2. AWS Systems Manager Run Command
  3. MSTIC Nobelium Oct 2021
  4. Microsoft Run Command

Technique Information

ID: T1651
Aliases: T1651, AT1002
Sub-techniques: None
Tactics:
  • Execution
Platforms:
  • IaaS
  • Amazon Web Services (AWS)
Created: 12 Sep 2024
Last Modified: 30 May 2025