SSM command fails for EC2 steal instance creds attack

[0xdeadbeefJERKY]

What is not working?

Using a clean install/configuration of both aws-vault and stratus, the "aws.credential-access.ec2-steal-instance-credentials" technique fails to run the SSM command because stratus doesn't wait long enough for the EC2 instance to initialize and transition to a truly "ready" state. When running the warmup, detonate and cleanup commands manually, the attack works as expected.

What OS are you using?

macOS

What is your Stratus Red Team version?

❯ stratus version
1.6.1

Full output?

❯ stratus detonate aws.credential-access.ec2-steal-instance-credentials --cleanup
2022/03/29 10:56:21 Checking your authentication against AWS
2022/03/29 10:56:22 Warming up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:56:22 Initializing Terraform to spin up technique prerequisites
2022/03/29 10:56:26 Applying Terraform to spin up technique prerequisites
2022/03/29 10:58:24 Instance id i-1234 in us-east-1a ready
2022/03/29 10:58:24 Running command through SSM on i-1234: curl 169.254.169.254/latest/meta-data/iam/security-credentials/stratus-ec2-credentials-instance-role/
2022/03/29 10:58:24 Cleaning up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:58:24 Cleaning up technique prerequisites with terraform destroy
2022/03/29 10:59:25 Error while detonating attack technique aws.credential-access.ec2-steal-instance-credentials: unable to send SSM command to instance: operation error SSM: SendCommand, https response error StatusCode: 400, RequestID: 8d7d3000-ddd0-4116-9b38-83750ccd785c, InvalidInstanceId: Instances [[i-1234]] not in a valid state for account 5678

Files in $HOME/.stratus-red-team?
ls -lahR

total 140240
drwxr--r--  31 user  staff   992B Mar 29 10:59 .
drwxr-x---+ 74 user  staff   2.3K Mar 29 11:01 ..
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ec2-get-password-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.secretsmanager-retrieve-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ssm-retrieve-securestring-parameters
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-delete
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-event-selectors
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-lifecycle-rule
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-stop
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.organizations-leave
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.vpc-remove-flow-logs
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-download-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-enumerate-from-instance
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.execution.ec2-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-security-group-open-port-22-ingress
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ami
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ebs-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.rds-share-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.s3-backdoor-bucket-policy
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-role
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-admin-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-user-login-profile
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.lambda-backdoor-function
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.dump-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.steal-serviceaccount-token
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.persistence.create-admin-clusterrole
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.hostpath-volume
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.nodes-proxy
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.privileged-pod
-rwx------   1 user  staff    68M Mar 28 15:17 terraform

/Users/user/.stratus-red-team/aws.credential-access.ec2-get-password-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.secretsmanager-retrieve-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.ssm-retrieve-securestring-parameters:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-delete:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-event-selectors:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-lifecycle-rule:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-stop:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.organizations-leave:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.vpc-remove-flow-logs:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-download-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-enumerate-from-instance:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.execution.ec2-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-security-group-open-port-22-ingress:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ami:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ebs-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.rds-share-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.s3-backdoor-bucket-policy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-role:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-admin-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-user-login-profile:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.lambda-backdoor-function:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.dump-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.steal-serviceaccount-token:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.persistence.create-admin-clusterrole:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.hostpath-volume:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.nodes-proxy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.privileged-pod:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

[christophetd]

Thanks for reporting! I've reproduced it and working on a fix

[christophetd]

I'm pretty sure this used to be working. By any chance, do you know of any way to make the instance register to SSM more quickly? Seems it can take randomly from one to several minutes...

2022/03/30 09:13:48 Waiting for instance i-0436e6d840d2bba5e to show up in AWS SSM
2022/03/30 09:19:55 Instance i-0436e6d840d2bba5e is ready to go in SSM
2022/03/30 09:19:55 Running command through SSM on i-0436e6d840d2bba5e: curl 169.254.169.254/latest/meta-data/iam/security-credentials/stratus-ec2-credentials-instance-role/

2022/03/30 09:27:35 Waiting for instance i-02979a05b31ed96c4 to show up in AWS SSM
2022/03/30 09:28:14 Instance i-02979a05b31ed96c4 is ready to go in SSM
2022/03/30 09:28:14 Running command through SSM on i-02979a05b31ed96c4: curl 169.254.169.254/latest/meta-data/iam/security-credentials/stratus-ec2-credentials-instance-role

Anyway, a fix is up in #111, can you give it a try? I've attached a precompiled binary for MacOS there

Thanks!

[0xdeadbeefJERKY]

@christophetd The general consensus (although dated) seems to be this workaround, which could be ported over to Go relatively easily.

[0xdeadbeefJERKY]

@christophetd fix in #111 seems to work! You weren't kidding though. It took about 6 minutes or so for the EC2 instance to fully register with SSM.

[christophetd]

Indeed, it sounds very random. Possibly regional or depends on the service load? Anyway I'll merge it so it's more stable

Thanks again!

[christophetd]

Will be released as part of v1.6.2, out shortly!