AWS SSM Session Manager Child Process Execution

  1[metadata]
  2creation_date = "2026/04/03"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/04/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker. 
 11Session Manager provides interactive shell access to EC2 instances and hybrid nodes without bastion hosts or open inbound ports.
 12Adversaries abuse it for remote execution and lateral movement using legitimate AWS credentials and IAM permissions.
 13This rule surfaces endpoint execution occurring under that worker for visibility and hunting. Expect noise from authorized
 14administrative sessions.
 15"""
 16false_positives = [
 17    """
 18    Legitimate operators using AWS Systems Manager Session Manager to administer instances will spawn child processes
 19    under the session worker. Tune with host, user, or command-line exclusions for known automation and break-glass
 20    workflows.
 21    """,
 22    """
 23    The SSM agent may invoke short-lived utilities (for example identity or environment probes) during session setup.
 24    Additional exclusions may be required in your environment.
 25    """,
 26]
 27from = "now-9m"
 28index = [
 29    "logs-endpoint.events.process*",
 30    "auditbeat-*",
 31    "logs-auditd_manager.auditd-*",
 32    "logs-crowdstrike.fdr*",
 33    "logs-sentinel_one_cloud_funnel.*"
 34]
 35language = "kuery"
 36license = "Elastic License v2"
 37name = "AWS SSM Session Manager Child Process Execution"
 38note = """## Triage and analysis
 39
 40### Investigating AWS SSM Session Manager Child Process Execution
 41
 42AWS Systems Manager Session Manager starts a session worker process on the endpoint; commands and shells you run in the
 43session appear as child processes of that worker. The same mechanism is used for authorized administration and for
 44adversary activity when IAM credentials or instance roles allow `ssm:StartSession` (or related) abuse.
 45
 46### Possible investigation steps
 47
 48- Confirm whether the host is an EC2 instance or managed node that legitimately uses Session Manager.
 49- Review `process.command_line`, `process.executable`, `process.user.name`, and `user.name` for the child process to
 50  judge intent (reconnaissance, download, credential access, persistence, etc.).
 51- Correlate timing with AWS CloudTrail for `StartSession`, `ResumeSession`, or related SSM API calls and the IAM
 52  principal that initiated the session.
 53- Pivot on the same `host.id` or instance identifier for other alerts or SSM activity in the same window.
 54
 55### False positive analysis
 56
 57- Routine interactive or automated administration via Session Manager is expected to match this rule by design.
 58- Prefer exclusions tied to stable attributes (approved IAM roles, automation service accounts, known script paths)
 59  rather than broad process-name allowlists unless validated.
 60
 61### Response and remediation
 62
 63- If activity is unauthorized: revoke or rotate exposed IAM credentials, review SSM and VPC endpoints policies, and
 64  terminate suspicious sessions from the AWS console or API.
 65- Isolate the instance if compromise is suspected and perform endpoint forensics following your incident response
 66  playbook.
 67"""
 68references = [
 69    "https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan",
 70    "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/",
 71    "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html",
 72]
 73risk_score = 21
 74rule_id = "cf2b8cf5-3364-4396-b551-42aae9b6d37e"
 75severity = "low"
 76tags = [
 77    "Domain: Endpoint",
 78    "Domain: Cloud",
 79    "OS: Linux",
 80    "OS: Windows",
 81    "OS: macOS",
 82    "Use Case: Threat Detection",
 83    "Tactic: Execution",
 84    "Data Source: Elastic Defend",
 85    "Data Source: Auditd Manager",
 86    "Data Source: Crowdstrike",
 87    "Data Source: SentinelOne",
 88    "Resources: Investigation Guide",
 89]
 90timestamp_override = "event.ingested"
 91type = "query"
 92
 93query = '''
 94event.category: "process" and event.action : ("exec" or "exec_event" or "start" or "ProcessRollup2" or "executed" or "process_started") and
 95(
 96 process.parent.name:("ssm-session-worker.exe" or "ssm-session-worker" or "ssm-document-worker.exe" or "ssm-document-worker") or 
 97 (process.name : "powershell.exe" and process.args : *awsrunPowerShellScript*) or
 98 (process.name : ("dash" or "sh" or "bash") and process.args : *awsrunShellScript*) or 
 99 (process.parent.name : "powershell.exe" and process.parent.args : *awsrunPowerShellScript*) or
100 (process.parent.name : ("dash" or "sh" or "bash") and process.parent.args : *awsrunShellScript*)
101 ) and 
102 process.command_line:* and 
103 not (process.name : "powershell.exe" and process.args :("$str.Substring($str.length" or *Convert-GuidToCompressedGuid* or get-wmiobject* or $wmi_proc* or *win32_quickfixengineering*)) and 
104 not process.executable : ("/usr/bin/lscpu" or "/usr/bin/snap" or "/usr/bin/rpm" or "/usr/bin/dpkg-query" or /snap/snapd/*/usr/bin/snap or "/usr/bin/id" or "C:\\Program Files\\Amazon\\SSM\\Plugins\\SessionManagerShell\\winpty-agent.exe")
105'''
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1059"
111name = "Command and Scripting Interpreter"
112reference = "https://attack.mitre.org/techniques/T1059/"
113
114[[rule.threat.technique.subtechnique]]
115name = "Unix Shell"
116id = "T1059.004"
117reference = "https://attack.mitre.org/techniques/T1059/004/"
118
119[[rule.threat.technique.subtechnique]]
120id = "T1059.001"
121name = "PowerShell"
122reference = "https://attack.mitre.org/techniques/T1059/001/"
123    
124[[rule.threat.technique]]
125id = "T1651"
126name = "Cloud Administration Command"
127reference = "https://attack.mitre.org/techniques/T1651/"
128
129[rule.threat.tactic]
130id = "TA0002"
131name = "Execution"
132reference = "https://attack.mitre.org/tactics/TA0002/"