Tag

Ssm

4 briefs RSS

AWS SSM Session Manager Child Process Execution

This rule detects process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker, which can indicate remote execution and lateral movement by adversaries abusing legitimate AWS credentials.

AWS Systems Manager aws ssm execution cloud

3r 3t 2w ago

medium advisory

AWS SSM Session Manager Child Process Execution Abuse

2 rules 3 TTPs

Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.

AWS Systems Manager Session Manager aws ssm session-manager execution cloud

2r 3t May 1, 2026

low advisory

AWS SSM Command Document Created by Rare User

2 rules 1 TTP

An AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.

cloud aws ssm execution

2r 1t Apr 10, 2026

medium advisory

AWS EC2 LOLBin Execution via SSM SendCommand

2 rules 2 TTPs

Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.

aws ec2 ssm lolbin execution cloud

2r 2t Apr 10, 2026