Potential Amazon SSM Agent Hijacking

Hunt Hypothesis

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Detection Rule

Sigma (Original)

title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\amazon-ssm-agent.exe'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\amazon-ssm-agent.exe" and (TargetProcessCommandLine contains "-register " and TargetProcessCommandLine contains "-code " and TargetProcessCommandLine contains "-id " and TargetProcessCommandLine contains "-region ")

Required Data Sources

False Positive Guidance

• Legitimate activity of system administrators

MITRE ATT&CK Context

• Tactic: Command and Control
• Tactic: Persistence
• Technique: T1219.002 — T1219.002

References

• https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
• https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
• https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
• SigmaHQ Rule