Usage of ssm:StartSession on multiple instances
slow idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Execution
Description
Simulates an attacker utilizing AWS Systems Manager (SSM) StartSession to gain unauthorized interactive access to multiple EC2 instances.
Warm-up:
- Create multiple EC2 instances and a VPC (takes a few minutes).
Detonation:
- Initiates a connection to the EC2 for a Session Manager session.
References:
- https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac (evidence of usage in the wild)
- https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#session-manager
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
Instructions
Detection
Identify, through CloudTrail's StartSession
event, when a user is starting an interactive session to multiple EC2 instances. Sample event: