heroui logo

Potential Linux Amazon SSM Agent Hijacking

Sigma Rules

View Source
Summary
This detection rule targets potential hijacking attempts of the Amazon SSM (Systems Manager) Agent on Linux systems. The SSM agent is a service that enables management of EC2 instances, and if compromised, it can be manipulated as a remote access trojan (RAT). The rule is derived from insights and examples shared in a Mitiga research report, which highlights how attackers can abuse the SSM agent to gain unauthorized access to cloud infrastructure. Specifically, it looks for processes related to the Amazon SSM agent where the command line contains specific flags that would be indicative of a hijack attempt, such as '-register', '-code', '-id', and '-region'. This rule identifies anomalous behavior associated with the Amazon SSM agent by monitoring process creation events, focusing on the execution of commands that deviate from normal operational procedures. The identified behavior could indicate an attempt to register a maliciously modified SSM agent that could lead to persistence and command-and-control capabilities for attackers, thus posing a significant threat to the security of EC2 instances.
Categories
  • Linux
  • Cloud
  • AWS
Data Sources
  • Process
Created: 2023-08-03