Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Sigma rule (View on GitHub)
1title: Potential Linux Amazon SSM Agent Hijacking
2id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
3status: test
4description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
5references:
6 - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
7 - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
8 - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
9author: Muhammad Faisal
10date: 2023-08-03
11tags:
12 - attack.command-and-control
13 - attack.persistence
14 - attack.t1219
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/amazon-ssm-agent'
21 CommandLine|contains|all:
22 - '-register '
23 - '-code '
24 - '-id '
25 - '-region '
26 condition: selection
27falsepositives:
28 - Legitimate activity of system administrators
29level: medium
References
Related rules
- Potential Amazon SSM Agent Hijacking
- Anydesk Temporary Artefact
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Communication To Uncommon Destination Ports