Attack Chain

1. Adversary gains access to AWS credentials with ssm:StartSession permissions, possibly through credential harvesting or compromised EC2 instance roles.
2. Adversary uses the AWS CLI or API to initiate an SSM Session Manager session to a target EC2 instance or managed node.
3. The ssm-session-worker process is started on the target host.
4. Adversary executes commands within the SSM session, which manifest as child processes of ssm-session-worker.
5. The executed commands may involve reconnaissance activities, such as gathering system information or network configuration.
6. The adversary may attempt to download malicious payloads or tools to the compromised instance.
7. The adversary uses the compromised host as a pivot point for lateral movement to other AWS resources.
8. Adversary achieves their objective, such as data exfiltration or deployment of malware.

Impact

Successful exploitation allows an attacker to gain unauthorized access to EC2 instances and managed nodes within an AWS environment. This can lead to data breaches, system compromise, and disruption of services. The abuse of legitimate AWS services like SSM Session Manager can make detection more challenging, potentially prolonging the attacker’s dwell time.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes of the AWS SSM Session Manager worker.
• Monitor AWS CloudTrail logs for StartSession, ResumeSession, or related SSM API calls to identify the IAM principal initiating sessions (reference: Investigating AWS SSM Session Manager Child Process Execution section).
• Implement strict IAM policies and least privilege principles to limit which users and roles have permissions to start SSM sessions.
• Review SSM and VPC endpoint policies to ensure they are configured securely (reference: Response and remediation section).