Skip to content

ResumeSession

AWS

ResumeSession

service: AWS - SSM
techniques:

Event

Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.

Security Context

  • Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
  • Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.

Log Source

CloudTrail

Sample Event

Adversarial. Draco resumes a previously disconnected SSM session against an EC2 instance he had already pivoted to. ResumeSession is quieter than StartSession in some detection pipelines (StartSession gets all the attention), so adversaries who lose connectivity prefer to resume rather than start fresh. T1021 (remote services) + T1059 (command interpreter on the target).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:01:08Z",
"eventSource": "ssm.amazonaws.com",
"eventName": "ResumeSession",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"sessionId": "draco-0occamy0000000001-01jt7bsx6q9wt8h2k3v8m4dr1n"
},
"responseElements": {
"sessionId": "draco-0occamy0000000001-01jt7bsx6q9wt8h2k3v8m4dr1n",
"tokenValue": "HIDDEN_DUE_TO_SECURITY_REASONS",
"streamUrl": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"requestID": "90000000-0000-4000-8000-000110100010",
"eventID": "90000000-0000-4000-8000-000110100011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ssm.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Lateral Movement Execution

Techniques:
  • T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
  • T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...