Retrieve And Decrypt SSM Parameters
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Credential Access
Description
Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS region.
Warm-up:
- Create multiple SSM Parameters
Detonation:
- Use ssm:DescribeParameters to list SSM Parameters in the current region
- Use ssm:GetParameters by batch of 10 (maximal supported value) to retrieve the values of the SSM Parameters
Instructions
Detonate with Stratus Red Team
stratus detonate aws.credential-access.ssm-retrieve-securestring-parameters
Detection
Identify principals retrieving a high number of SSM Parameters, through CloudTrail's GetParameter
and GetParameters
events.
It is especially suspicious when parameters of type SecretString
are retrieved, indicated when
requestParameters.withDecryption
is set to true
in the CloudTrail events.
The following may be use to tune the detection, or validate findings:
- Principals who do not usually call ssm:GetParameter(s)
- Attempts to call ssm:GetParameter(s) resulting in access denied errors