Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Technique: T1651 #3031

Merged
merged 8 commits into from
Jan 17, 2025
Merged

New Technique: T1651 #3031

merged 8 commits into from
Jan 17, 2025

Conversation

ryananicholson
Copy link
Contributor

Details:
This test uses Terraform to deploy an SSM-enabled AWS EC2 instance. The attack leverages either configured or stolen credentials to launch an attacker-controlled command (cat /etc/shadow) using an SSM Run Command. Due to infrastructure build, warmup, and tear down times, I recommend that a larger timeout than default is used (600 seconds seems to be a good number in my testing).

Testing:
Tested against my AWS account. Results shown below:

image

Associated Issues:
No issues fixed with this PR.

@ryananicholson ryananicholson changed the title T1651 New Technique: T1651 Jan 7, 2025
clr2of8
clr2of8 previously requested changes Jan 12, 2025
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your webserver atomic files are showing up in this PR. Can you update the PR so the changes only include T1651? Thx!

@ryananicholson
Copy link
Contributor Author

Done!

@clr2of8
Copy link
Collaborator

clr2of8 commented Jan 17, 2025

@patel-bhavin can you review this cloud atomic? thx

@patel-bhavin
Copy link
Collaborator

certainly! @ryananicholson : thanks for updating the PR and attaching the screenshot of the execution! this atomic looks good to me!

@patel-bhavin patel-bhavin dismissed clr2of8’s stale review January 17, 2025 22:14

The comments looks resolved!

@patel-bhavin patel-bhavin merged commit fd82e0a into redcanaryco:master Jan 17, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@clr2of8 clr2of8 clr2of8 left review comments

Assignees

@patel-bhavin patel-bhavin

Labels
20 min review cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ryananicholson @clr2of8 @patel-bhavin @josehelps @cyberbuff