-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New attack technique: Usage of SSM StartSession on multiple instances #477
Conversation
v2/internal/attacktechniques/aws/lateral-movement/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
v2/internal/attacktechniques/aws/lateral-movement/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
c41bfd7
to
296decf
Compare
v2/internal/attacktechniques/aws/execution/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
|
||
for _, instanceID := range instanceIDs { | ||
cleanInstanceID := strings.Trim(instanceID, " \"\n\r") | ||
_, err := ssmClient.StartSession(context.Background(), &ssm.StartSessionInput{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to reproduce a 501 InternalFailure (I'm using the same AWS region) but I was able to reproduce a 400 TargetNotConnected when the StartSession happens before the SSM agent is running. Because of this, I added a retry mechanism that waits for 10 seconds before trying again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we already have code doing it here, will try to refactor to make use of it: https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go#L123-L147
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done in 1a2c871
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
output now:
2024/02/09 11:53:06 Checking your authentication against AWS
2024/02/09 11:53:07 Note: This is a slow attack technique, it might take a long time to warm up or detonate
2024/02/09 11:53:07 Warming up aws.execution.ssm-start-session
2024/02/09 11:53:07 Initializing Terraform to spin up technique prerequisites
2024/02/09 11:53:24 Applying Terraform to spin up technique prerequisites
2024/02/09 11:55:23 Instances ready:
i-07345b85bfc1b1e81 in eu-west-1a
i-0793addc3e1967502 in eu-west-1a
i-058972b50511cb498 in eu-west-1a
2024/02/09 11:55:23 Waiting for 3 instances to show up in AWS SSM. This can take a few minutes.
2024/02/09 11:55:42 Instances are ready and registered in SSM!
2024/02/09 11:55:42 Starting SSM sessions on each instance...
Session started on instance i-07345b85bfc1b1e81
Session started on instance i-0793addc3e1967502
Session started on instance i-058972b50511cb498
What does this PR do?
Just like #467 the attack technique creates the same EC2 instances and its VPC in the warmup. In the attack phase, it uses StartSession to gain interactive access to multiple EC2 instances.
Motivation
Open Issue #60
Checklist