legitimate use of aws systems manager to establish a session to an ec2 instance.

t1021
aws
elastic

Techniques

T1021

Sample rules

SSM Session Started to EC2 Instance

source: elastic
technicques:
- T1021

Description

Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource.

Detection logic

event.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com"
    and event.action:"StartSession" and event.outcome:"success"