Product
This rule identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker, which adversaries may abuse for remote execution and lateral movement using legitimate AWS credentials and IAM permissions.