StartSession
Event
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
- T1021 — Remote Services — Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.