[Rule Tuning] SSM Session Started to EC2 Instance (#5068)

imays11 · web-flow · commit 7ff2648cfd41 · 2025-09-11T15:54:31.000-04:00
* [Rule Tuning] SSM Session Started to EC2 Instance

Role/role session noise seen in telemetry due to new fields term using `aws.cloudtrail.user_identity.arn`, which is unique for each role session and does not isolate the role itself.

- new fields term change to `cloud.account.id` and `user.name` combination to account for both IAMUsers and Roles across multiple accounts.
- added AWS to the rule name
- reduced execution window
- small edits to description and IG
- added reference from IG to Reference section

* adding highlighted fields

* added EC2 tag

* Update lateral_movement_aws_ssm_start_session_to_ec2_instance.toml

* Apply suggestions from code review
diff --git a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
@@ -2,38 +2,34 @@
 creation_date = "2024/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/05"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may
-use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used
-to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first
-occurrence of this activity for a given AWS resource.
+Identifies the first occurrence of an AWS user or role establishing a session via SSM to an EC2 instance. Adversaries may use AWS Session Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. 
 """
-false_positives = ["Legitimate use of AWS Systems Manager to establish a session to an EC2 instance."]
-from = "now-60m"
+false_positives = ["Legitimate use of AWS Session Manager to establish a session to an EC2 instance."]
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "SSM Session Started to EC2 Instance"
+name = "AWS SSM Session Started to EC2 Instance"
 note = """## Triage and analysis
 
-### Investigating SSM Session Started to EC2 Instance
+### Investigating AWS SSM Session Started to EC2 Instance
 
-This rule detects the first instance of an AWS resource initiating an SSM session to an EC2 instance, which could be indicative of legitimate administrative activities or potential malicious actions like command execution or lateral movement.
+This rule detects the first instance of an AWS user or role initiating an SSM session to an EC2 instance, which could be indicative of legitimate administrative activities or potential malicious actions like command execution or lateral movement.
 
 #### Possible Investigation Steps
 
 - **Examine the Session Start Event**: Review the AWS CloudTrail log for the event.
-    - Look for the `StartSession` action and verify details such as the `user_identity.arn`, `event.action`, and the target EC2 instance (`aws.cloudtrail.flattened.request_parameters`).
+    - Determine the target EC2 instance using `aws.cloudtrail.request_parameters`.
 - **Verify User Identity and Role**: Check the user’s ARN and access key ID (`aws.cloudtrail.user_identity.access_key_id`).
-    - Cross-reference this with IAM to verify if the user had the necessary permissions and if their role typically requires initiating SSM sessions.
+    - Determine if their role typically requires initiating SSM sessions.
 - **Assess Geographic and IP Context**: Analyze the source IP (`source.ip`) and geographic location (`source.geo`) from which the session was initiated.
     - Determine if these are consistent with typical user locations or if they raise suspicions of compromise or misuse.
-- **Review Session Details**: Examine details like the session ID and stream URL (`aws.cloudtrail.flattened.response_elements`) to understand the scope and nature of the session.
+- **Review Session Details**: Examine details like the session ID and stream URL (`aws.cloudtrail.response_elements`) to understand the scope and nature of the session.
     - Check if any commands executed during the session were unauthorized or out of ordinary practices.
 - **Correlate with Other Security Events**: Look for other related security events around the time of the session start to identify any pattern or broader attack vector that may involve this user or EC2 instance.
 
@@ -43,12 +39,10 @@ This rule detects the first instance of an AWS resource initiating an SSM sessio
 
 ### Response and Remediation
 
-- **Immediate Session Review**: If the session initiation seems suspicious, review all actions taken during the session.
-    - If possible, terminate the session to prevent any potential harm.
-- **Validate and Reinforce Security Policies**: Ensure that policies around SSM session initiation are strict and adhere to the principle of least privilege.
-    - Update IAM policies if necessary to tighten controls.
 - **Incident Response Activation**: If malicious intent or actions are confirmed, activate the incident response protocol.
     - This includes containment of the threat, eradication of the adversary’s presence, recovery of affected systems, and a thorough investigation.
+- **Validate and Reinforce Security Policies**: Ensure that policies around SSM session initiation are strict and adhere to the principle of least privilege.
+    - Update IAM policies if necessary to tighten controls.
 - **Enhance Monitoring and Alerts**: Improve monitoring of SSM sessions, particularly focusing on sessions that involve sensitive or critical EC2 instances.
     - Adjust alerting mechanisms to flag unusual session initiations promptly.
 
@@ -60,6 +54,8 @@ For more in-depth understanding of managing SSM sessions and security best pract
 references = [
     "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html",
     "https://hackingthe.cloud/aws/post_exploitation/intercept_ssm_communications/",
+    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc",
+    "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques",
 ]
 risk_score = 47
 rule_id = "804a7ac8-fc00-11ee-924b-f661ea17fbce"
@@ -69,6 +65,7 @@ tags = [
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
     "Data Source: AWS SSM",
+    "Data Source: AWS EC2",
     "Use Case: Threat Detection",
     "Tactic: Lateral Movement",
     "Resources: Investigation Guide",
@@ -81,6 +78,22 @@ event.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com"
     and event.action:"StartSession" and event.outcome:"success"
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -102,7 +115,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["aws.cloudtrail.user_identity.arn"]
+value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
