LoFP LoFP / legitimate use of aws session manager to establish a session to an ec2 instance.

Techniques

Sample rules

AWS SSM Session Started to EC2 Instance

Description

Identifies the first occurrence of an AWS user or role establishing a session via SSM to an EC2 instance. Adversaries may use AWS Session Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation.

Detection logic

event.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com"
    and event.action:"StartSession" and event.outcome:"success"