Download EC2 Instance User Data technique does request userdata properly #353
Comments
christophetd
added
kind/bug
|
Tested it and it seems to be working properly:
And the
Can you share the full output and a full CloudTrail log sample? |
|
It looks like IAM user fails to assume the role.
Here is screenshot of the CloudTrail event history, although it has Admin privileges. I guess that's why I'm seeing DescribeAccountAttributes API call.
When I try to assume the role manually, it works.
From: Alex Groyz
Sent: Thursday, May 4, 2023 11:41 AM
To: DataDog/stratus-red-team ***@***.***>; DataDog/stratus-red-team ***@***.***>
Cc: Author ***@***.***>
Subject: RE: [DataDog/stratus-red-team] Download EC2 Instance User Data technique does request userdata properly (Issue #353)
Hi Christophe,
Here is the screenshot of the output. And I've also attached an export of CloudTrail for the AWS user to execute the technique.
I've redacted the account id, access key, and IP address.
***@***.***
From: Christophe Tafani-Dereeper ***@***.******@***.***>>
Sent: Thursday, May 4, 2023 4:06 AM
To: DataDog/stratus-red-team ***@***.******@***.***>>
Cc: Alex Groyz ***@***.******@***.***>>; Author ***@***.******@***.***>>
Subject: Re: [DataDog/stratus-red-team] Download EC2 Instance User Data technique does request userdata properly (Issue #353)
Tested it and it seems to be working properly:
[image]<https://user-images.githubusercontent.com/136675/236145633-a1bf32bb-dc88-4fb4-8e20-e458087bd373.png>
[image]<https://user-images.githubusercontent.com/136675/236145685-def2a1a0-b118-4f29-b809-6d847045b2b0.png>
And the requestParameters looks fine to me:
[image]<https://user-images.githubusercontent.com/136675/236145790-2237d205-3bf1-4fb2-ba90-3a0e4fbed716.png>
Can you share the full output and a full CloudTrail log sample?
-
Reply to this email directly, view it on GitHub<#353 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVWDMEKZHTZWEP3Y5WUSN6LXENPNHANCNFSM6AAAAAAXU3VKEU>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
|
Thanks, can you share your full Stratus Red Team output? Make sure the technique is clean first: |
|
./stratus detonate aws.discovery.ec2-download-user-data |
|
This looks correct, what makes you think that "It looks like IAM user fails to assume the role"? |
|
From my understanding, the Download EC2 Instance User Data technique uses the initial IAM user, Download-EC2-Instance-User-Data-0504, to execute the technique to create a 'stratus-red-team-get-usr-data-role' role and then assume it. Then makes, 15 DescribeInstanceAttribute API calls. This is what I see when I look for the events in CloudTrail event history for Download-EC2-Instance-User-Data-0504 user. So when I look though the events, I see access denied for all AssumeRole events. The one successful call, up top, is when I assumed the role manually to test. And when I run query on event name DescribeInstanceAttribute in CloudTrail event history I get no results back. Perhaps I'm missing something. |
|
Can you paste here the whole CSV, or show the whole user agent field? Thanks |
|
Here is screenshot of the user agent field. |
|
Hi, I wanted to follow up on this ticket. Are there any local logs I can check? We have a detection that this technique should trigger. So it would be great if I could get this to work. Thanks |
|
Hello, I'm not sure why this fails in your account, to be frank! Can you share the IAM policy attached to the identity you're using to run Stratus Red Team? |
|
I understand what the issue is. It looks like the code, in general, does not assume roles correctly and always gets Access Denied. aws.discovery.ec2-download-user-data aws.credential-access.ec2-get-password-data We use Full Administrative policy for users used to execute these modules. The policies work because I can manually assume these roles through cli. |
|
Hello, I have the same issue. The role is created correctly "stratus-red-team-get-usr-data-role". However, the role cannot be assumed by Stratus and in the CloudTrail logs you get "AccessDenied" on the AssumeRole events. I can assume the role manually with aws cli using the same IAM user that Stratus is using "aws sts assume-role --role-arn arn:aws:iam::123456789101:role/stratus-red-team-get-usr-data-role --role-session-name stratus --profile stratus" I am using an Intel Mac and used brew to install Stratus. |
|
Thanks for the detail, I was able to reproduce this. Will investigate ASAP |
|
Looks like this is due to the eventual consistency of AWS. When the role is created, it cannot be assumed right away |
|
PR coming with initial retries to assume the AWS role. Will create a few access denied events on the role created, does that seem acceptable? Given eventual consistency of AWS IAM, I don't think we can do much better
|
|
Ok. Now that I understand the issue, I have a workaround for my tests. Up to now, I've scripted to trigger all the techniques using detonate without warmup. But now I've changed it to warm up first, wait n seconds, and then detonate. This approach solved the issue. Thanks for your help. |
|
Good to know! Are you able to give #358 a try to confirm it fixes the issue, even without waiting manually? |
|
I tried this branch and unfortunately same issue. Although I when broke down the attack into warmup and then detonate with 30 wait in between it worked using the released version.
|
|
Thanks for testing! Did you have any errors? I just added debug output to the PR, could you try compiling and giving another try? Appreciate your help! FWIW this is what I see:
|
|
I will assume that #358 fixes your issue - please let me know otherwise and I'll be happy to revisit |
What is not working?
Download EC2 Instance User Data technique does send userdata properly.
"requestParameters": {
"accountAttributeNameSet": {},
"filterSet": {}
},
What OS are you using?
Ubuntu
What is your Stratus Red Team version?
2.5.3
The text was updated successfully, but these errors were encountered: