Identifies process.start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker (e.g., ssm-session-worker or ssm-document-worker). Session Manager provides interactive shell access to EC2 and hybrid nodes without bastion hosts or open inbound ports. Adversaries abuse Session Manager for remote execution and lateral movement using legitimate AWS credentials and IAM permissions. This rule surfaces endpoint executions occurring under the session worker to aid visibility and hunting, while expecting noise from authorized administrative sessions. It aggregates signals from multiple sources (Elastic Defend, Auditd Manager, CrowdStrike, SentinelOne) to detect child processes spawned under the worker, including shells and scripted actions that leverage awsrunPowerShellScript or awsrunShellScript, with exclusions for known legitimate utilities. The rule is designed to support rapid triage, correlation with AWS API activity, and containment if unauthorized usage is detected, while guiding operators through investigation and remediation steps.