Skip to content

Usage of ssm:StartSession on multiple instances

slow idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Execution

Description

Simulates an attacker utilizing AWS Systems Manager (SSM) StartSession to gain unauthorized interactive access to multiple EC2 instances.

Warm-up:

  • Create multiple EC2 instances and a VPC (takes a few minutes).

Detonation:

  • Initiates a connection to the EC2 for a Session Manager session.

References:

Instructions

Detonate with Stratus Red Team
stratus detonate aws.execution.ssm-start-session

Detection

Identify, through CloudTrail's StartSession event, when a user is starting an interactive session to multiple EC2 instances. Sample event:

{
  "eventSource": "ssm.amazonaws.com",
  "eventName": "StartSession",
  "requestParameters": {
    "target": "i-123456"
  },
  "responseElements": {
        "sessionId": "...",
        "tokenValue": "Value hidden due to security reasons.",
        "streamUrl": "wss://ssmmessages.eu-west-1.amazonaws.com/v1/data-channel/..."
   },
}