StartSession
AWS
StartSession
Event
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
Security Context
- Remote command execution services provide adversaries with direct OS-level access to managed instances, often without requiring SSH or RDP.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
CloudTrail
Sample Event
Adversarial. Draco starts an interactive SSM session on i-0occamy0000000001 — the OCCAMY pipeline host. From here he can shell-out to OS-level activity, read environment variables (which often contain secrets in CI/CD hosts), and pivot. T1021 + T1059. This is the prequel event to the ResumeSession draft (event 10 of 34).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:58:24Z", "eventSource": "ssm.amazonaws.com", "eventName": "StartSession", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "target": "i-0occamy0000000001" }, "responseElements": { "sessionId": "draco-0occamy0000000001-01jt7bsx6q9wt8h2k3v8m4dr1n", "tokenValue": "HIDDEN_DUE_TO_SECURITY_REASONS", "streamUrl": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "requestID": "90000000-0000-4000-8000-000110110110", "eventID": "90000000-0000-4000-8000-000110110111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ssm.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1651 — Cloud Administration Command — Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface a...
- T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.