New attack technique: Usage of SSM StartSession on multiple instances #477
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christophetd
reviewed
Feb 5, 2024
v2/internal/attacktechniques/aws/lateral-movement/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
christophetd
reviewed
Feb 5, 2024
v2/internal/attacktechniques/aws/lateral-movement/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
christophetd
force-pushed
the
ssm-start-command
branch
from
c41bfd7
to
296decf
Compare
christophetd
reviewed
Feb 7, 2024
v2/internal/attacktechniques/aws/execution/ssm-start-session/main.go
Outdated
Show resolved
Hide resolved
christophetd
reviewed
Feb 7, 2024
|
|
||
| for _, instanceID := range instanceIDs { | ||
| cleanInstanceID := strings.Trim(instanceID, " \"\n\r") | ||
| _, err := ssmClient.StartSession(context.Background(), &ssm.StartSessionInput{ |
There was a problem hiding this comment.
Did you try this? I'm not able to make it work:
There was a problem hiding this comment.
I wasn't able to reproduce a 501 InternalFailure (I'm using the same AWS region) but I was able to reproduce a 400 TargetNotConnected when the StartSession happens before the SSM agent is running. Because of this, I added a retry mechanism that waits for 10 seconds before trying again.
There was a problem hiding this comment.
we already have code doing it here, will try to refactor to make use of it: https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go#L123-L147
There was a problem hiding this comment.
output now:
2024/02/09 11:53:06 Checking your authentication against AWS
2024/02/09 11:53:07 Note: This is a slow attack technique, it might take a long time to warm up or detonate
2024/02/09 11:53:07 Warming up aws.execution.ssm-start-session
2024/02/09 11:53:07 Initializing Terraform to spin up technique prerequisites
2024/02/09 11:53:24 Applying Terraform to spin up technique prerequisites
2024/02/09 11:55:23 Instances ready:
i-07345b85bfc1b1e81 in eu-west-1a
i-0793addc3e1967502 in eu-west-1a
i-058972b50511cb498 in eu-west-1a
2024/02/09 11:55:23 Waiting for 3 instances to show up in AWS SSM. This can take a few minutes.
2024/02/09 11:55:42 Instances are ready and registered in SSM!
2024/02/09 11:55:42 Starting SSM sessions on each instance...
Session started on instance i-07345b85bfc1b1e81
Session started on instance i-0793addc3e1967502
Session started on instance i-058972b50511cb498
christophetd
approved these changes
Feb 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Just like #467 the attack technique creates the same EC2 instances and its VPC in the warmup. In the attack phase, it uses StartSession to gain interactive access to multiple EC2 instances.
Motivation
Open Issue #60
Checklist