Merge pull request #190 from vishnuraju/master

arte-dh4wk
2025-12-12 07:40:49 -08:00 · 2025-07-24 08:48:14 +02:00
parent 8655bc665f d613dc8ce7
commit ce9f3f87af
1 changed files with 28 additions and 0 deletions
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,5 +1,33 @@
 # AWS - SSM Perssitence

+{{#include ../../../banners/hacktricks-training.md}}
+
+## SSM
+
+For more information check:
+
+{{#ref}}
+../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
+{{#endref}}
+
+### Using ssm:CreateAssociation for persistence
+
+An attacker with the permission ssm:CreateAssociation can create a State Manager Association to automatically execute commands on EC2 instances managed by SSM. These associations can be configured to run at a fixed interval, making them suitable for backdoor-like persistence without interactive sessions.
+
+
+```bash
+aws ssm create-association \
+  --name SSM-Document-Name \
+  --targets Key=InstanceIds,Values=target-instance-id \
+  --parameters commands=["malicious-command"] \
+  --schedule-expression "rate(30 minutes)" \
+  --association-name association-name
+```
+
+> [!NOTE]
+> This persistence method works as long as the EC2 instance is managed by Systems Manager, the SSM agent is running, and the attacker has permission to create associations. It does not require interactive sessions or explicit ssm:SendCommand permissions. **Important:** The `--schedule-expression` parameter (e.g., `rate(30 minutes)`) must respect AWS's minimum interval of 30 minutes. For immediate or one-time execution, omit `--schedule-expression` entirely — the association will execute once after creation.
+
+{{#include ../../../banners/hacktricks-training.md}}