ResumeSession
AWS
ResumeSession
Event
Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
CloudTrail
Sample Event
Adversarial. Draco resumes a previously disconnected SSM session against an EC2 instance he had already pivoted to. ResumeSession is quieter than StartSession in some detection pipelines (StartSession gets all the attention), so adversaries who lose connectivity prefer to resume rather than start fresh. T1021 (remote services) + T1059 (command interpreter on the target).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:01:08Z", "eventSource": "ssm.amazonaws.com", "eventName": "ResumeSession", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "sessionId": "draco-0occamy0000000001-01jt7bsx6q9wt8h2k3v8m4dr1n" }, "responseElements": { "sessionId": "draco-0occamy0000000001-01jt7bsx6q9wt8h2k3v8m4dr1n", "tokenValue": "HIDDEN_DUE_TO_SECURITY_REASONS", "streamUrl": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "requestID": "90000000-0000-4000-8000-000110100010", "eventID": "90000000-0000-4000-8000-000110100011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ssm.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...