Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New attack technique: Usage of SSM StartSession on multiple instances #477

Merged
merged 8 commits into from
Feb 9, 2024

Conversation

adanalvarez
Copy link
Contributor

@adanalvarez adanalvarez commented Feb 2, 2024

What does this PR do?

  • New attack technique

Just like #467 the attack technique creates the same EC2 instances and its VPC in the warmup. In the attack phase, it uses StartSession to gain interactive access to multiple EC2 instances.

Motivation

Open Issue #60

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@christophetd christophetd self-assigned this Feb 5, 2024

for _, instanceID := range instanceIDs {
cleanInstanceID := strings.Trim(instanceID, " \"\n\r")
_, err := ssmClient.StartSession(context.Background(), &ssm.StartSessionInput{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you try this? I'm not able to make it work:

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to reproduce a 501 InternalFailure (I'm using the same AWS region) but I was able to reproduce a 400 TargetNotConnected when the StartSession happens before the SSM agent is running. Because of this, I added a retry mechanism that waits for 10 seconds before trying again.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in 1a2c871

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

output now:

2024/02/09 11:53:06 Checking your authentication against AWS
2024/02/09 11:53:07 Note: This is a slow attack technique, it might take a long time to warm up or detonate
2024/02/09 11:53:07 Warming up aws.execution.ssm-start-session
2024/02/09 11:53:07 Initializing Terraform to spin up technique prerequisites
2024/02/09 11:53:24 Applying Terraform to spin up technique prerequisites
2024/02/09 11:55:23 Instances ready:
  i-07345b85bfc1b1e81 in eu-west-1a
  i-0793addc3e1967502 in eu-west-1a
  i-058972b50511cb498 in eu-west-1a
2024/02/09 11:55:23 Waiting for 3 instances to show up in AWS SSM. This can take a few minutes.
2024/02/09 11:55:42 Instances are ready and registered in SSM!
2024/02/09 11:55:42 Starting SSM sessions on each instance...
Session started on instance i-07345b85bfc1b1e81
Session started on instance i-0793addc3e1967502
Session started on instance i-058972b50511cb498

@christophetd christophetd enabled auto-merge (squash) February 9, 2024 11:11
@christophetd christophetd merged commit 904c352 into DataDog:main Feb 9, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants