-
Notifications
You must be signed in to change notification settings - Fork 220
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New attack technique: Usage of ec2instanceconnect:SendSSHPublicKey on…
… multiple instances (#467) * add aws send-ssh-public-key attack technique * delete replace * terraform fmt * Formatting and small code enhancements --------- Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
- Loading branch information
1 parent
f3b95ef
commit 8947d72
Showing
11 changed files
with
356 additions
and
4 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
title: Usage of EC2 Instance Connect on multiple instances | ||
--- | ||
|
||
# Usage of EC2 Instance Connect on multiple instances | ||
|
||
<span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> | ||
<span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> | ||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Lateral Movement | ||
|
||
## Description | ||
|
||
|
||
Simulates an attacker pushing an SSH public key to multiple EC2 instances, which then will allow anyone with the corresponding private key to | ||
connect directly to the systems via SSH. | ||
|
||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create multiple EC2 instances and a VPC (takes a few minutes). | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- Adds a public SSH key to the EC2 for 60 seconds. | ||
|
||
References: | ||
|
||
- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins | ||
- https://sysdig.com/blog/2023-global-cloud-threat-report/ | ||
|
||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.lateral-movement.ec2-instance-connect | ||
``` | ||
## Detection | ||
|
||
|
||
Identify, through CloudTrail's <code>SendSSHPublicKey</code> event, when a user is adding an SSH key to multiple EC2 instances. Sample event: | ||
|
||
``` | ||
{ | ||
"eventSource": "ec2-instance-connect.amazonaws.com", | ||
"eventName": "SendSSHPublicKey", | ||
"requestParameters": { | ||
"instanceId": "i-123456", | ||
"instanceOSUser": "ec2-user", | ||
"sSHPublicKey": "ssh-ed25519 ..." | ||
} | ||
} | ||
``` | ||
|
||
|
46 changes: 46 additions & 0 deletions
46
docs/attack-techniques/AWS/aws.lateral-movement.ec2-send-ssh-public-key.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
--- | ||
title: Usage of ec2instanceconnect:SendSSHPublicKey on multiple instances | ||
--- | ||
|
||
# Usage of ec2instanceconnect:SendSSHPublicKey on multiple instances | ||
|
||
<span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> | ||
<span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> | ||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Lateral Movement | ||
|
||
## Description | ||
|
||
|
||
Simulates an attacker pushing a Secure Shell (SSH) public key to multiple EC2 instances, which then will allow anyone with the corresponding private key to | ||
connect directly to the systems via SSH. | ||
|
||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create multiple EC2s instances and VPC (takes a few minutes). | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- Adds a public SSH key to the EC2 for 60 seconds. | ||
|
||
References: | ||
|
||
- https://sysdig.com/blog/2023-global-cloud-threat-report/ | ||
|
||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.lateral-movement.ec2-send-ssh-public-key | ||
``` | ||
## Detection | ||
|
||
|
||
Identify, through CloudTrail's <code>SendSSHPublicKey</code> event, when a user is adding an SSH key to multiple EC2s. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
91 changes: 91 additions & 0 deletions
91
v2/internal/attacktechniques/aws/lateral-movement/ec2-send-ssh-public-key/main.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
package aws | ||
|
||
import ( | ||
"context" | ||
_ "embed" | ||
"fmt" | ||
"github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect" | ||
"github.com/datadog/stratus-red-team/v2/pkg/stratus" | ||
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" | ||
"log" | ||
"strings" | ||
) | ||
|
||
//go:embed my_key.pub | ||
var publicSSHKey string | ||
|
||
//go:embed main.tf | ||
var tf []byte | ||
|
||
func init() { | ||
const codeBlock = "```" | ||
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ | ||
ID: "aws.lateral-movement.ec2-instance-connect", | ||
FriendlyName: "Usage of EC2 Instance Connect on multiple instances", | ||
IsSlow: true, | ||
Description: ` | ||
Simulates an attacker pushing an SSH public key to multiple EC2 instances, which then will allow anyone with the corresponding private key to | ||
connect directly to the systems via SSH. | ||
Warm-up: | ||
- Create multiple EC2 instances and a VPC (takes a few minutes). | ||
Detonation: | ||
- Adds a public SSH key to the EC2 for 60 seconds. | ||
References: | ||
- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins | ||
- https://sysdig.com/blog/2023-global-cloud-threat-report/ | ||
`, | ||
Detection: ` | ||
Identify, through CloudTrail's <code>SendSSHPublicKey</code> event, when a user is adding an SSH key to multiple EC2 instances. Sample event: | ||
` + codeBlock + ` | ||
{ | ||
"eventSource": "ec2-instance-connect.amazonaws.com", | ||
"eventName": "SendSSHPublicKey", | ||
"requestParameters": { | ||
"instanceId": "i-123456", | ||
"instanceOSUser": "ec2-user", | ||
"sSHPublicKey": "ssh-ed25519 ..." | ||
} | ||
} | ||
` + codeBlock + ` | ||
`, | ||
Platform: stratus.AWS, | ||
PrerequisitesTerraformCode: tf, | ||
IsIdempotent: true, | ||
MitreAttackTactics: []mitreattack.Tactic{mitreattack.LateralMovement}, | ||
Detonate: detonate, | ||
}) | ||
} | ||
|
||
func detonate(params map[string]string, providers stratus.CloudProviders) error { | ||
ec2instanceconnectClient := ec2instanceconnect.NewFromConfig(providers.AWS().GetConnection()) | ||
instanceIDs := strings.Split(params["instance_ids"], ",") | ||
|
||
for _, instanceID := range instanceIDs { | ||
cleanInstanceID := strings.Trim(instanceID, " \"\n\r") | ||
err := sendSSHPublicKey(ec2instanceconnectClient, cleanInstanceID, "ec2-user", publicSSHKey) | ||
if err != nil { | ||
return fmt.Errorf("failed to send SSH public key to instance %s: %v", cleanInstanceID, err) | ||
} | ||
|
||
log.Printf("SSH public key successfully added to instance %s", cleanInstanceID) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func sendSSHPublicKey(ec2instanceconnectClient *ec2instanceconnect.Client, instanceId, instanceOSUser, sshPublicKey string) error { | ||
_, err := ec2instanceconnectClient.SendSSHPublicKey(context.Background(), &ec2instanceconnect.SendSSHPublicKeyInput{ | ||
InstanceId: &instanceId, | ||
InstanceOSUser: &instanceOSUser, | ||
SSHPublicKey: &sshPublicKey, | ||
}) | ||
|
||
return err | ||
} |
Oops, something went wrong.