Detection coverage in DCV across AWS, Azure and GCP for Command and Scripting Interpreter, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.
Platforms: ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows.
DCV maps 18 detections across 3 cloud providers to T1059. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 5 | 0.78 |
| AWS Inspector | AWS | 3 | 0.82 |
| AWS GuardDuty | AWS | 2 | 0.82 |
| Azure Policy | Azure | 2 | 0.85 |
| Azure Regulatory Compliance | Azure | 2 | 0.85 |
| Microsoft Defender for Cloud | Azure | 2 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.90 |
| GCP Security Command Center | GCP | 1 | 0.90 |
CloudSigma ships 6 production-ready Sigma rules that detect T1059 across 6 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Command Execution via SSM Send Command or Lambda Invocation
id: 5e872385-57d6-4272-9471-8d34b0efd10d
status: experimental
description: >
Detects command execution in AWS through SSM SendCommand, SSM automation,
or Lambda function invocation. Adversaries may leverage these services to
execute arbitrary commands and scripts within the cloud environment.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1059/
- https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html
tags:
- attack.execution
- attack.t1059
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName:
- SendCommand
- StartAutomationExecution
- InvokeFunction
condition: selection
falsepositives:
- Legitimate automation workflows using SSM Run Command for patch management
- Application code invoking Lambda functions as part of normal operations
level: medium