Skip to content

Commit

Permalink
New attack technique: Usage of SendSerialConsoleSSHPublicKey on multi…
Browse files Browse the repository at this point in the history 
…ple instances (#599)

* add ec2-send-serial-console-ssh-public-key technique

* add ec2-send-serial-console-ssh-public-key docs

* fix cloudtrail example

* keep ec2 serial console access as it was

* Sort imports

* Fix potential nil pointer dereference and improve logging

* Move enabling/disabling SendSerielConsoleSSHKey to Terraform

* Cosmetic improvements and update docs

* Change logic for handling initial serial console enablement

* Remove unused variable

---------

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
  • Loading branch information
@adanalvarez @christophetd
adanalvarez and christophetd authored Nov 28, 2024
1 parent 1dfcf0c commit a912e7f
Show file tree
Hide file tree
Showing 9 changed files with 762 additions and 1 deletion.
277 changes: 277 additions & 0 deletions ...k-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,277 @@
---
title: Usage of EC2 Serial Console to push SSH public key
---

# Usage of EC2 Serial Console to push SSH public key

<span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span>
<span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span>

Platform: AWS

## MITRE ATT&CK Tactics


- Lateral Movement

## Description


Simulates an attacker using EC2 Instance Connect to push an SSH public key to multiple EC2 instances, using <code>SendSerialConsoleSSHPublicKey</code>. This allows anyone
with the corresponding private key to connect directly to the systems via SSH, assuming they have appropriate network connectivity.

<span style="font-variant: small-caps;">Warm-up</span>:

- Create multiple EC2 instances and a VPC (takes a few minutes).

<span style="font-variant: small-caps;">Detonation</span>:

- Adds a public SSH key to the EC2 instances using <code>SendSerialConsoleSSHPublicKey</code>.

References:

- https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/


## Instructions

```bash title="Detonate with Stratus Red Team"
stratus detonate aws.lateral-movement.ec2-serial-console-send-ssh-public-key
```
## Detection


Identify, through CloudTrail's <code>SendSerialConsoleSSHPublicKey</code> event, when a user is adding an SSH key to EC2 instances.



## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

The following CloudTrail events are generated when this technique is detonated[^1]:


- `ec2-instance-connect:SendSerialConsoleSSHPublicKey`

- `ec2:EnableSerialConsoleAccess`


??? "View raw detonation logs"

```json hl_lines="6 57 109 161"

[
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "37ba412b-f943-44f2-ae48-4527f6e789d9",
"eventName": "EnableSerialConsoleAccess",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2024-11-26T15:35:22Z",
"eventType": "AwsApiCall",
"eventVersion": "1.10",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "e110338f-cc06-4284-bf16-6528a7df1561",
"requestParameters": {
"EnableSerialConsoleAccessRequest": ""
},
"responseElements": {
"EnableSerialConsoleAccessResponse": {
"requestId": "e110338f-cc06-4284-bf16-6528a7df1561",
"serialConsoleAccessEnabled": true,
"xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/"
}
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "787b2464-f27b-4d4c-91bc-6396f2297d0e",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:23Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "c74b1e77-bc91-4174-b297-d06a71c89abf",
"requestParameters": {
"instanceId": "i-EFCb4e480CAbc4CF9",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "c74b1e77-bc91-4174-b297-d06a71c89abf",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "e49972cb-b394-43e2-aab5-602f1fb56f85",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:23Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
"requestParameters": {
"instanceId": "i-B2ABDCa5b78E0f1dd",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "f4dc86c9-6b22-4643-a0e8-fcb97fcfae68",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:22Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "88c8e41e-7754-4377-983f-140f8ca5617e",
"requestParameters": {
"instanceId": "i-D46eD8FCdefED5aAE",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "88c8e41e-7754-4377-983f-140f8ca5617e",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}
]
```

[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
2 changes: 2 additions & 0 deletions docs/attack-techniques/AWS/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT

## Lateral Movement

- [Usage of EC2 Serial Console to push SSH public key](./aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md)

- [Usage of EC2 Instance Connect on multiple instances](./aws.lateral-movement.ec2-instance-connect.md)


Expand Down
1 change: 1 addition & 0 deletions docs/attack-techniques/list.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ This page contains the list of all Stratus Attack Techniques.
| [S3 Ransomware through client-side encryption](./AWS/aws.impact.s3-ransomware-client-side-encryption.md) | [AWS](./AWS/index.md) | Impact |
| [S3 Ransomware through individual file deletion](./AWS/aws.impact.s3-ransomware-individual-deletion.md) | [AWS](./AWS/index.md) | Impact |
| [Console Login without MFA](./AWS/aws.initial-access.console-login-without-mfa.md) | [AWS](./AWS/index.md) | Initial Access |
| [Usage of EC2 Serial Console to push SSH public key](./AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) | [AWS](./AWS/index.md) | Lateral Movement |
| [Usage of EC2 Instance Connect on multiple instances](./AWS/aws.lateral-movement.ec2-instance-connect.md) | [AWS](./AWS/index.md) | Lateral Movement |
| [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
| [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
Expand Down
Loading

0 comments on commit a912e7f

Please sign in to comment.