Adversaries may be attempting to hijack the Amazon SSM agent to execute arbitrary code with elevated privileges on Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics early.
Detection Rule
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
imProcessCreate
| where TargetProcessName endswith "/amazon-ssm-agent" and (TargetProcessCommandLine contains "-register " and TargetProcessCommandLine contains "-code " and TargetProcessCommandLine contains "-id " and TargetProcessCommandLine contains "-region ")Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task using cron or systemd is configured to run a script that modifies SSM agent configuration files.
Filter/Exclusion: Exclude processes initiated by cron or systemd with known maintenance scripts (e.g., /etc/cron.daily/ssm-maintenance.sh).
Scenario: Admin Task to Update SSM Agent Configuration
Description: An administrator manually updates the SSM agent configuration using sudo to apply new settings or patches.
Filter/Exclusion: Exclude processes with sudo and user root or known admin users, and check for known configuration files (e.g., /etc/ssm/agent/config.json).
Scenario: Log Rotation or File Cleanup Job
Description: A log rotation tool like logrotate or a custom script is configured to clean up old SSM agent logs, which may involve file manipulation.
Filter/Exclusion: Exclude processes associated with logrotate or scripts in /etc/logrotate.d/ that target SSM log files.
Scenario: Security Patch Deployment via Configuration Management Tool
Description: A configuration management tool like Ansible or Puppet is used to deploy security patches that include SSM agent updates.
Filter/Exclusion: Exclude processes initiated by Ansible or Puppet with known playbook names or inventory hosts related to patch management.
Scenario: User-Initiated File Copy for Backup Purposes
Description: A user or script copies SSM agent files to a backup location, which may involve file access or modification.
Filter/Exclusion: Exclude processes with cp, rsync, or scp commands and check for known backup directories or user-initiated scripts.