-
Author: Elastic
-
Description: This hunting query identifies when a user starts a remote session to an EC2 instance using the AWS Systems Manager (SSM) service. The
StartSessionAPI call allows users to connect to an EC2 instance using the SSM service. MultipleStartSessionrequests to the same EC2 instance may indicate an adversary attempting to gain access to the instance for malicious purposes. By default on certain AMI types, the SSM agent is pre-installed and running, allowing for easy access to the instance without the need for SSH or RDP. -
UUID:
f9eae44e-5e4d-11ef-878f-f661ea17fbce -
Integration: aws.cloudtrail
-
Language:
[ES|QL] -
Source File: SSM Start Remote Session to EC2 Instance
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where event.provider == "ssm.amazonaws.com" and event.action == "StartSession"
| dissect aws.cloudtrail.request_parameters "{%{target_key}=%{target_instance}}"
| stats user_instance_counts = count(*) by target_instance, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, event.outcome- Use the
target_instancefield to identify the EC2 instance that the user connected to using the SSM service - Review the
aws.cloudtrail.user_identity*fields to identify the user making the requests and their role permissions - The
event.outcomefield can provide additional context on the success or failure of theStartSessionrequest - Identify if the EC2 instance was recently launched by filtering
event.actionfield forRunInstancesAPI calls. If the instance was not recently launched, investigate further - Sessions started from IAM users may be benign, but sessions where the
aws.cloudtrail.user_identity.typeisAssumedRoleare suspicious as they indicate instance to instance connections.
Elastic License v2