{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-systems-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Systems Manager"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","execution","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Systems Manager (SSM) Session Manager provides interactive shell access to EC2 instances and hybrid nodes without requiring bastion hosts or open inbound ports. This capability is legitimately used by administrators for managing their AWS infrastructure. However, adversaries can abuse Session Manager for remote execution and lateral movement within an AWS environment if they obtain valid AWS credentials and IAM permissions that allow \u003ccode\u003essm:StartSession\u003c/code\u003e or related API calls. This attack vector allows them to execute commands as child processes of the SSM session worker. This activity can be difficult to detect due to the use of legitimate AWS services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains access to AWS credentials with \u003ccode\u003essm:StartSession\u003c/code\u003e permissions, possibly through credential harvesting or compromised EC2 instance roles.\u003c/li\u003e\n\u003cli\u003eAdversary uses the AWS CLI or API to initiate an SSM Session Manager session to a target EC2 instance or managed node.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003essm-session-worker\u003c/code\u003e process is started on the target host.\u003c/li\u003e\n\u003cli\u003eAdversary executes commands within the SSM session, which manifest as child processes of \u003ccode\u003essm-session-worker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed commands may involve reconnaissance activities, such as gathering system information or network configuration.\u003c/li\u003e\n\u003cli\u003eThe adversary may attempt to download malicious payloads or tools to the compromised instance.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the compromised host as a pivot point for lateral movement to other AWS resources.\u003c/li\u003e\n\u003cli\u003eAdversary achieves their objective, such as data exfiltration or deployment of malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to gain unauthorized access to EC2 instances and managed nodes within an AWS environment. This can lead to data breaches, system compromise, and disruption of services. The abuse of legitimate AWS services like SSM Session Manager can make detection more challenging, potentially prolonging the attacker\u0026rsquo;s dwell time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes of the AWS SSM Session Manager worker.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eStartSession\u003c/code\u003e, \u003ccode\u003eResumeSession\u003c/code\u003e, or related SSM API calls to identify the IAM principal initiating sessions (reference: Investigating AWS SSM Session Manager Child Process Execution section).\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies and least privilege principles to limit which users and roles have permissions to start SSM sessions.\u003c/li\u003e\n\u003cli\u003eReview SSM and VPC endpoint policies to ensure they are configured securely (reference: Response and remediation section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T09:45:04Z","date_published":"2026-05-18T09:45:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-aws-ssm-child-process/","summary":"This rule identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker, which adversaries may abuse for remote execution and lateral movement using legitimate AWS credentials and IAM permissions.","title":"AWS SSM Session Manager Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-aws-ssm-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS Systems Manager","version":"https://jsonfeed.org/version/1.1"}