The adversary exploited an RCE vulnerability that existed in a custom PHP application running on multiple Linux servers hosted in the victim organization's Cloud Service Provider environment.
The adversary attempted to harvest Cloud Service Provider credentials via the AWS Instance Metadata Services API.
Cloud-conscious discovery included querying the AWS Instance Metadata Service API to enumerate IAM roles.
The adversary leveraged SSM Orchestration in an attempt to execute multiple Python reverse shells.
https://go.crowdstrike.com/rs/281-OBQ-266/images/report-crowdstrike-2023-threat-hunting-report.pdf
Page 37: