arte-Hex-Editor

[Local-Guy-123]

Attribution

I have not seen either technique documented well, it maybe my own ignorance given both techniques are very straight forward. I first encountered these techniques on a purple team engagement that targeted SSM lateral movement where my organization was attempting to identify all possible gaps in detection for lateral movement within SSM without using iam:PassRole, that list is much longer for SSM. However, while HackTricks does a great job document most of the techniques I thought these two were lacking documentation.

Update Document

An attacker with the permissions ssm:UpdateDocument and ssm:UpdateDocumentDefaultVersion can escalate privileges by modifying existing documents. This also allows for persistence within that document. Practically the attacker would also need ssm:ListDocuments to get the names for custom documents and if the attacker wants to obfuscate their payload within an existing document ssm:GetDocument would be necessary as well.

Maintenance Windows

An attacker with the permissions ssm:RegisterTaskWithMaintenanceWindow and ssm:RegisterTargetWithMaintenanceWindow can escalate privileges by first registering a new target with an existing maintenance window and then registering a new task. This achieves execution on the existing targets, but can allow an attacker to compromise compute with different roles by register new targets. This also allows for persistence as maintenance windows tasks are executed on a pre-defined interval during the window creation. Practically the attacker would also need ssm:DescribeMaintenanceWindows to get the maintenance window IDs.