Rooted

Cybersecurity, done right.

View on GitHub

AWS Red Teaming: TTPs

When threat actors compromise an AWS user, they often follow a systematic process of enumeration and lateral movement to expand their access and gather sensitive information.
Hereโ€™s a breakdown of how attackers perform these activities using various AWS CLI commands.
The first step an attacker takes is to identify the compromised IAM user and account details:

๐™–๐™ฌ๐™จ ๐™จ๐™ฉ๐™จ ๐™œ๐™š๐™ฉ-๐™˜๐™–๐™ก๐™ก๐™š๐™ง-๐™ž๐™™๐™š๐™ฃ๐™ฉ๐™ž๐™ฉ๐™ฎ

Next, attackers gather more details about the IAM user (creation date, tags, and other metadata):

๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™œ๐™š๐™ฉ-๐™ช๐™จ๐™š๐™ง --๐™ช๐™จ๐™š๐™ง-๐™ฃ๐™–๐™ข๐™š <๐™ช๐™จ๐™š๐™ง๐™ฃ๐™–๐™ข๐™š>

To understand the userโ€™s permissions, attackers check for group memberships and attached policies:

๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™ก๐™ž๐™จ๐™ฉ-๐™œ๐™ง๐™ค๐™ช๐™ฅ๐™จ-๐™›๐™ค๐™ง-๐™ช๐™จ๐™š๐™ง --๐™ช๐™จ๐™š๐™ง-๐™ฃ๐™–๐™ข๐™š <๐™ช๐™จ๐™š๐™ง๐™ฃ๐™–๐™ข๐™š>
๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™ก๐™ž๐™จ๐™ฉ-๐™–๐™ฉ๐™ฉ๐™–๐™˜๐™๐™š๐™™-๐™ช๐™จ๐™š๐™ง-๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ž๐™š๐™จ --๐™ช๐™จ๐™š๐™ง-๐™ฃ๐™–๐™ข๐™š <๐™ช๐™จ๐™š๐™ง๐™ฃ๐™–๐™ข๐™š>
๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™ก๐™ž๐™จ๐™ฉ-๐™ช๐™จ๐™š๐™ง-๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ž๐™š๐™จ --๐™ช๐™จ๐™š๐™ง-๐™ฃ๐™–๐™ข๐™š <๐™ช๐™จ๐™š๐™ง๐™ฃ๐™–๐™ข๐™š>

Attackers need to understand the permissions granted by these policies:

๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™ก๐™ž๐™จ๐™ฉ-๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™ซ๐™š๐™ง๐™จ๐™ž๐™ค๐™ฃ๐™จ --๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™–๐™ง๐™ฃ <๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™–๐™ง๐™ฃ>
๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™œ๐™š๐™ฉ-๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™ซ๐™š๐™ง๐™จ๐™ž๐™ค๐™ฃ --๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™–๐™ง๐™ฃ <๐™ฅ๐™ค๐™ก๐™ž๐™˜๐™ฎ-๐™–๐™ง๐™ฃ> --๐™ซ๐™š๐™ง๐™จ๐™ž๐™ค๐™ฃ-๐™ž๐™™ <๐™ซ๐™š๐™ง๐™จ๐™ž๐™ค๐™ฃ-๐™ž๐™™>

After understanding the permissions, attackers can move laterally by assuming roles or accessing other resources:

๐™–๐™ฌ๐™จ ๐™ž๐™–๐™ข ๐™œ๐™š๐™ฉ-๐™ง๐™ค๐™ก๐™š --๐™ง๐™ค๐™ก๐™š-๐™ฃ๐™–๐™ข๐™š <๐™ง๐™ค๐™ก๐™š-๐™ฃ๐™–๐™ข๐™š>
๐™–๐™ฌ๐™จ ๐™จ๐™ฉ๐™จ ๐™–๐™จ๐™จ๐™ช๐™ข๐™š-๐™ง๐™ค๐™ก๐™š --๐™ง๐™ค๐™ก๐™š-๐™–๐™ง๐™ฃ <๐™ง๐™ค๐™ก๐™š-๐™–๐™ง๐™ฃ> --๐™ง๐™ค๐™ก๐™š-๐™จ๐™š๐™จ๐™จ๐™ž๐™ค๐™ฃ-๐™ฃ๐™–๐™ข๐™š <๐™จ๐™š๐™จ๐™จ๐™ž๐™ค๐™ฃ-๐™ฃ๐™–๐™ข๐™š>

With new permissions granted, attackers can access sensitive data like S3 bucket contents, EC2 instances or secrets stored in Secrets Manager:

๐™–๐™ฌ๐™จ ๐™š๐™˜2 ๐™™๐™š๐™จ๐™˜๐™ง๐™ž๐™—๐™š-๐™ž๐™ฃ๐™จ๐™ฉ๐™–๐™ฃ๐™˜๐™š๐™จ
๐™–๐™ฌ๐™จ ๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ๐™จ๐™ข๐™–๐™ฃ๐™–๐™œ๐™š๐™ง ๐™ก๐™ž๐™จ๐™ฉ-๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ๐™จ
๐™–๐™ฌ๐™จ ๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ๐™จ๐™ข๐™–๐™ฃ๐™–๐™œ๐™š๐™ง ๐™œ๐™š๐™ฉ-๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ-๐™ซ๐™–๐™ก๐™ช๐™š --๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ-๐™ž๐™™ <๐™จ๐™š๐™˜๐™ง๐™š๐™ฉ-๐™ž๐™™>
๐™–๐™ฌ๐™จ ๐™จ3 ๐™ก๐™จ ๐™จ3://<๐™—๐™ช๐™˜๐™ ๐™š๐™ฉ-๐™ฃ๐™–๐™ข๐™š>
๐™–๐™ฌ๐™จ ๐™จ3 ๐™˜๐™ฅ ๐™จ3://<๐™—๐™ช๐™˜๐™ ๐™š๐™ฉ-๐™ฃ๐™–๐™ข๐™š>/๐™ฅ๐™–๐™จ๐™จ๐™ฌ๐™ค๐™ง๐™™๐™จ.๐™ฉ๐™ญ๐™ฉ .

aws