Skip to content
Threat Feed
medium advisory

AWS SSM Session Manager Child Process Execution Abuse

Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.

AWS Systems Manager (SSM) Session Manager provides interactive shell access to EC2 instances and hybrid nodes without the need for bastion hosts or open inbound ports. Attackers can abuse this functionality by leveraging compromised AWS credentials or IAM roles with ssm:StartSession permissions to gain unauthorized access to target systems. This allows for remote execution of commands and lateral movement within the AWS environment. The technique involves spawning child processes from the SSM session worker process to perform malicious activities. Defenders should monitor for unusual process execution patterns originating from SSM sessions to identify potential abuse.

Attack Chain

  1. Attacker gains access to valid AWS credentials or IAM role with ssm:StartSession permissions.
  2. Attacker initiates an SSM session to a target EC2 instance or hybrid node using the compromised credentials.
  3. The ssm-session-worker process is started on the target instance to manage the interactive session.
  4. Attacker executes commands within the session, spawning child processes from the ssm-session-worker process.
  5. Attacker may use scripting languages such as PowerShell or Bash to execute malicious code (e.g., using awsrunPowerShellScript or awsrunShellScript).
  6. These scripts perform reconnaissance, download additional tools, or attempt credential access.
  7. Attacker moves laterally to other instances or resources within the AWS environment.
  8. The ultimate objective is often data exfiltration, privilege escalation, or maintaining persistent access.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, compromise of critical systems, and lateral movement within the AWS environment. The impact can range from data breaches to complete control of the compromised infrastructure. The number of affected systems depends on the scope of the compromised credentials and the attacker’s ability to move laterally. Organizations using AWS SSM are at risk.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes spawned by ssm-session-worker.
  • Correlate process activity with AWS CloudTrail logs for StartSession and related API calls to identify the IAM principal initiating the session (see the overview section for API names).
  • Implement strict IAM policies and regularly review AWS credentials to minimize the risk of credential compromise.
  • Monitor process.command_line, process.executable, process.user.name for unusual activity within SSM sessions.

Detection coverage 2

Detect AWS SSM Session Manager Child Process Execution (Generic)

medium

Detects process execution where the parent process is the AWS SSM Session Manager worker, indicating potential abuse for remote execution and lateral movement.

sigma tactics: execution techniques: T1059, T1651 sources: process_creation, windows

Detect AWS SSM Session Manager Child Process Execution (Linux)

medium

Detects process execution where the parent process is the AWS SSM Session Manager worker on Linux, indicating potential abuse for remote execution and lateral movement.

sigma tactics: execution techniques: T1059, T1651 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →