Tag
medium
advisory
AWS SSM Session Manager Child Process Execution Abuse
2 rules 3 TTPsAdversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.
AWS Systems Manager Session Manager
aws
ssm
session-manager
execution
cloud
2r
3t
low
advisory
AWS SSM Command Document Created by Rare User
2 rules 1 TTPAn AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.
cloud
aws
ssm
execution
2r
1t
medium
advisory
AWS EC2 LOLBin Execution via SSM SendCommand
2 rules 2 TTPsDetection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.
aws
ec2
ssm
lolbin
execution
cloud
2r
2t