Scenario: CloudTrail¶

Prerequisites¶

Playground One Network

Ensure to have the Playground One Network up and running:

# Network configuration
pgo --apply network

Overview¶

Automated malicious actions are executed on running this scenario which lead to detections in Observed Attack Techniques and the generation of Workbenches.

The story¶

Using a leaked user with S3 access allows the attacker to list all the buckets and look for buckets where possible sensitive information is stored.

What is going to happen?¶

This demo is executing the following actions:

Preparation
Create a S3 Bucket and upload a password.zip.
Create an IAM User with S3FullAccess policy.
Create an EC2 instance acting as the final target.
Attack (using the created user)
Create a download directory.
Iterate through each bucket (filtered on PGO environment name).
List bucket objects.
Download bucket object if key matches password.zip and *.pem.
Access EC2 instance with downloaded key and query instance role.
Clean up
Destroy bucket, instance, and user.

Screenshot of generated OATs:

alt text

Run the Attack¶

So, this is very simple :-)

# Create the user, search buckets, download credentials
pgo --apply scenarios-cloudtrail

Outputs:

access_key = "AKIAZHO3CC62YYHHCD6N"
attack = tomap({
  "instance_role" = "pgo-id-ec2-role-24yi5egt"
})
attacker_arn = "arn:aws:iam::634503960501:user/pgo-id-attacker-ragfl318"
instance_ip_linux = "35.158.122.99"
s3_bucket = "pgo-id-scenarios-wk3gd608"
secret_key = <sensitive>

pgo-id-ec2-role-24yi5egt is the role name of the target instance to which the attacker gained access after finding and downloading the ssh key from S3. He connected to the instance and queried it's metadata.

# Delete the user again
pgo --destroy scenarios-cloudtrail

Review the detections in Vision One.

alt text

🎉 Success 🎉