Potential Amazon SSM Agent Hijacking

 1title: Potential Amazon SSM Agent Hijacking
 2id: d20ee2f4-822c-4827-9e15-41500b1fff10
 3status: experimental
 4description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
 5references:
 6    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
 7    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
 8    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
 9author: Muhammad Faisal
10date: 2023/08/02
11tags:
12    - attack.command_and_control
13    - attack.persistence
14    - attack.t1219
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\amazon-ssm-agent.exe'
21        CommandLine|contains|all:
22            - '-register '
23            - '-code '
24            - '-id '
25            - '-region '
26    condition: selection
27falsepositives:
28    - Legitimate activity of system administrators
29level: medium

References

• Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan

  

  Mitiga's research discovered a significant new post-exploitation security concept: involving the use of Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines, controlling them using another AWS account. We shared our research with the AWS security team and included some of their feedback to this advisory.

  
  Read More

• Amazon's AWS SSM agent can be used as post-exploitation RAT malware

  

  Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platform's System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT).

  
  Read More

• Attackers can turn AWS SSM agents into remote access trojans - Help Net Security

  

  A new post-exploitation technique may allow attackers to gain persistent remote access to AWS EC2 instances and non-EC2 machines.

  
  Read More

Related rules

• Potential Linux Amazon SSM Agent Hijacking
• DNS Query To Remote Access Software Domain From Non-Browser App
• ScreenConnect Temporary Installation Artefact
• Inveigh Execution Artefacts
• Mesh Agent Service Installation