gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 21:23:07 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3333cb3315c4141d64a739cfc2501040f89b4272
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-persistence/README.md
carlospolop 9df8a4ac92 organize aws + new attacks
2025-10-09 12:26:40 +02:00

1.4 KiB
Raw Blame History

AWS - SSM Perssitence

{{#include ../../../../banners/hacktricks-training.md}}

SSM

For more information check:

{{#ref}} ../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md {{#endref}}

Using ssm:CreateAssociation for persistence

An attacker with the permission ssm:CreateAssociation can create a State Manager Association to automatically execute commands on EC2 instances managed by SSM. These associations can be configured to run at a fixed interval, making them suitable for backdoor-like persistence without interactive sessions.

aws ssm create-association \
  --name SSM-Document-Name \
  --targets Key=InstanceIds,Values=target-instance-id \
  --parameters commands=["malicious-command"] \
  --schedule-expression "rate(30 minutes)" \
  --association-name association-name

Note

This persistence method works as long as the EC2 instance is managed by Systems Manager, the SSM agent is running, and the attacker has permission to create associations. It does not require interactive sessions or explicit ssm:SendCommand permissions. Important: The --schedule-expression parameter (e.g., rate(30 minutes)) must respect AWS's minimum interval of 30 minutes. For immediate or one-time execution, omit --schedule-expression entirely — the association will execute once after creation.

{{#include ../../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink