Attack Chain

1. Attacker gains access to valid AWS credentials or IAM role with ssm:StartSession permissions.
2. Attacker initiates an SSM session to a target EC2 instance or hybrid node using the compromised credentials.
3. The ssm-session-worker process is started on the target instance to manage the interactive session.
4. Attacker executes commands within the session, spawning child processes from the ssm-session-worker process.
5. Attacker may use scripting languages such as PowerShell or Bash to execute malicious code (e.g., using awsrunPowerShellScript or awsrunShellScript).
6. These scripts perform reconnaissance, download additional tools, or attempt credential access.
7. Attacker moves laterally to other instances or resources within the AWS environment.
8. The ultimate objective is often data exfiltration, privilege escalation, or maintaining persistent access.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, compromise of critical systems, and lateral movement within the AWS environment. The impact can range from data breaches to complete control of the compromised infrastructure. The number of affected systems depends on the scope of the compromised credentials and the attacker’s ability to move laterally. Organizations using AWS SSM are at risk.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes spawned by ssm-session-worker.
• Correlate process activity with AWS CloudTrail logs for StartSession and related API calls to identify the IAM principal initiating the session (see the overview section for API names).
• Implement strict IAM policies and regularly review AWS credentials to minimize the risk of credential compromise.
• Monitor process.command_line, process.executable, process.user.name for unusual activity within SSM sessions.