Run Shell Commands on EC2 with Send Command or Session Manager
After escalating privileges in a target AWS account or otherwise gaining privileged access you may want to run commands on EC2 instances in the account. This article hopes to provide a quick and referenceable cheat sheet on how to do this via ssm:SendCommand or ssm:StartSession.
By default, the commands that are issued are not logged to CloudTrail. Specifically they are "HIDDEN_DUE_TO_SECURITY_REASONS". As a result, if an adversary were to leverage this tactic against an environment, defenders would need to get information about those commands from host based controls. Defenders, this is an excellent capability to validate. Alternatively, offensive security teams can do the testing.
You can send arbitrary shell commands to EC2 instances from the AWS CLI via the following:
aws ssm send-command \ --instance-ids "i-00000000000000000" \ --document-name "AWS-RunShellScript" --parameters commands="*shell commands here*"
If you're just looking to run a quick C2 payload, or perhaps create a new user this will likely be enough. However, if you also want to retrieve the output of the command you will need to make a ssm:ListCommandInvocations call as well.
If you would like to retrieve the output, make a note of the
CommandId returned to you in the Send Command call. After a short period of time (to let the command run) you can use this Id to lookup the results. You can do this with the following:
aws ssm list-command-invocations \ --command-id "command_id_guid" \ --details
--details is required to view the output of the command.
The output of the command will be in the
Output section under
Required IAM Permission: ssm:StartSession
If instead you'd like a more interactive shell experience, you can make use of Session Manager. Session Manager allows you to have an SSH-esc experience, making it easy to interact with EC2 instances.
To begin, you will first need to install the SSM Session Manager Plugin. The specifics of this will depend on what operating system you are using.
With that installed, you can then run the following command to start an interactive session.
aws ssm start-session --target instance-id