gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-30 14:40:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

ssm

Browse Source
This commit is contained in:
carlospolop
2025-07-24 08:53:00 +02:00
parent ce9f3f87af
commit 46a8364006
4 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md → src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-persistence.md
View File

@@ -12,7 +12,7 @@ For more information check:
### Using ssm:CreateAssociation for persistence
An attacker with the permission ssm:CreateAssociation can create a State Manager Association to automatically execute commands on EC2 instances managed by SSM. These associations can be configured to run at a fixed interval, making them suitable for backdoor-like persistence without interactive sessions.
An attacker with the permission **`ssm:CreateAssociation`** can create a State Manager Association to automatically execute commands on EC2 instances managed by SSM. These associations can be configured to run at a fixed interval, making them suitable for backdoor-like persistence without interactive sessions.
```bash

17
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md
View File

@@ -121,6 +121,23 @@ aws ssm get-command-invocation --command-id <cmd_id> --instance-id <i_id>
**Potential Impact:** Find sensitive information inside the output of the command lines.
### Using ssm:CreateAssociation
An attacker with the permission **`ssm:CreateAssociation`** can create a State Manager Association to automatically execute commands on EC2 instances managed by SSM. These associations can be configured to run at a fixed interval, making them suitable for backdoor-like persistence without interactive sessions.
```bash
aws ssm create-association \
--name SSM-Document-Name \
--targets Key=InstanceIds,Values=target-instance-id \
--parameters commands=["malicious-command"] \
--schedule-expression "rate(30 minutes)" \
--association-name association-name
```
> [!NOTE]
> This persistence method works as long as the EC2 instance is managed by Systems Manager, the SSM agent is running, and the attacker has permission to create associations. It does not require interactive sessions or explicit ssm:SendCommand permissions. **Important:** The `--schedule-expression` parameter (e.g., `rate(30 minutes)`) must respect AWS's minimum interval of 30 minutes. For immediate or one-time execution, omit `--schedule-expression` entirely — the association will execute once after creation.
### Codebuild
You can also use SSM to get inside a codebuild project being built:

8
src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
View File

@@ -200,6 +200,14 @@ In the following page you can check how to **abuse SSM permissions to escalate p
../../aws-privilege-escalation/aws-ssm-privesc.md
{{#endref}}
### Perssistence
In the following page you can check how to **abuse SSM permissions to achieve persistence**:
{{#ref}}
../../aws-persistence/aws-ssm-persistence.md
{{#endref}}
## ELB
**Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.