I think a more secure SSM Agent for Windows needs to be developed. Is there anything along these lines in the works?
I installed the valid, digitally signed AmazonSSMAgentSetup on a Windows server in preparation to present AWS as a potential alternative to our current on-prem logging solution. When opening up the Event Logs, Processes, or Performance info for this node in Fleet Manager, I get a Crowdstrike detection on the SessionManagerShell (winpty-agent.exe). This component of the SSM agent is unsigned and it is performing actions which are not acceptable in a secure Windows environment. This process downloads and executes a compressed, base64-encoded payload instead of using proper, code-signed powershell script. It collects the log files successfully at first, but it also puts powershell into bypass and runs a series of "wevtutil cl" commands that clear various Windows Event, Powershell, and trace logs which I prefer to retain. It's barbaric. At that point, Crowdstrike (rightfully) blocks the process and it does not continue to function.
AWS OFFICIALAktualisiert vor 2 Jahren