From de4e50ff01900540ed2c6d1765e93b0b1ea47bd3 Mon Sep 17 00:00:00 2001
From: z00t <faisalusuf@users.noreply.github.com>
Date: Thu, 3 Aug 2023 14:42:50 +0500
Subject: [PATCH] feat: add new rule related to "Amazon SSM Agent" potential
 abuse (#4369)

---
 .../proc_creation_win_ssm_agent_abuse.yml     | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml

diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml
new file mode 100644
index 000000000..c5e93f434
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml
@@ -0,0 +1,29 @@
+title: Potential Amazon SSM Agent Hijacking
+id: d20ee2f4-822c-4827-9e15-41500b1fff10
+status: experimental
+description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.
+references:
+    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
+    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
+    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
+author: Muhammad Faisal
+date: 2023/08/02
+tags:
+    - attack.command_and_control
+    - attack.persistence
+    - attack.t1219
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\amazon-ssm-agent.exe'
+        CommandLine|contains|all:
+            - '-register '
+            - '-code '
+            - '-id '
+            - '-region '
+    condition: selection
+falsepositives:
+    - Legitimate activity of system administrators
+level: medium