legitimate operators using aws systems manager session manager to administer instances will spawn child processes under the session worker. tune with host, user, or command-line exclusions for known automation and break-glass workflows.

Techniques

Sample rules

AWS SSM Session Manager Child Process Execution

source: elastic
technicques:
- T1059
- T1651

Description

Identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker. Session Manager provides interactive shell access to EC2 instances and hybrid nodes without bastion hosts or open inbound ports. Adversaries abuse it for remote execution and lateral movement using legitimate AWS credentials and IAM permissions. This rule surfaces endpoint execution occurring under that worker for visibility and hunting. Expect noise from authorized administrative sessions.

Detection logic

event.category: "process" and event.action : ("exec" or "exec_event" or "start" or "ProcessRollup2" or "executed" or "process_started") and
(
 process.parent.name:("ssm-session-worker.exe" or "ssm-session-worker" or "ssm-document-worker.exe" or "ssm-document-worker") or 
 (process.name : "powershell.exe" and process.args : *awsrunPowerShellScript*) or
 (process.name : ("dash" or "sh" or "bash") and process.args : *awsrunShellScript*) or 
 (process.parent.name : "powershell.exe" and process.parent.args : *awsrunPowerShellScript*) or
 (process.parent.name : ("dash" or "sh" or "bash") and process.parent.args : *awsrunShellScript*)
 ) and 
 process.command_line:* and 
 not (process.name : "powershell.exe" and process.args :("$str.Substring($str.length" or *Convert-GuidToCompressedGuid* or get-wmiobject* or $wmi_proc* or *win32_quickfixengineering*)) and 
 not process.executable : ("/usr/bin/lscpu" or "/usr/bin/snap" or "/usr/bin/rpm" or "/usr/bin/dpkg-query" or /snap/snapd/*/usr/bin/snap or "/usr/bin/id" or "C:\\Program Files\\Amazon\\SSM\\Plugins\\SessionManagerShell\\winpty-agent.exe")