Potential Amazon SSM Agent Hijacking

calendar Aug 12, 2024 · attack.command-and-control attack.persistence attack.t1219  ·
Share on: linkedin copy

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Sigma rule (View on GitHub)

 1title: Potential Amazon SSM Agent Hijacking
 2id: d20ee2f4-822c-4827-9e15-41500b1fff10
 3status: test
 4description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
 5references:
 6    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
 7    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
 8    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
 9author: Muhammad Faisal
10date: 2023-08-02
11tags:
12    - attack.command-and-control
13    - attack.persistence
14    - attack.t1219
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\amazon-ssm-agent.exe'
21        CommandLine|contains|all:
22            - '-register '
23            - '-code '
24            - '-id '
25            - '-region '
26    condition: selection
27falsepositives:
28    - Legitimate activity of system administrators
29level: medium

References

Related rules

to-top