Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances #599

Merged
merged 10 commits into from
Nov 28, 2024
Merged

New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances #599

merged 10 commits into from
Nov 28, 2024

Conversation

adanalvarez
Copy link
Contributor

What does this PR do?

  • New attack technique

Motivation

I saw that this was an open and prioritized issue #487

There are multiple reports of this technique being exploited in the wild.

To exploit SendSerialConsoleSSHPublicKey, an attacker must first enable EC2 Serial Console access. I did not enable this in the warm-up phase because Permiso has observed this behavior as part of a larger attack. In their report, Permiso describes how attackers enable EC2 Serial Console access in compromised AWS accounts and then attempt to use SendSerialConsoleSSHPublicKey.

If EC2 Serial Console access is already enabled, I leave it as is to avoid disabling it.

I'm not sure if there is an automation to generate the logs with Grimoire, so I haven't added this.

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
  • The attack technique makes no assumption about the state of the environment prior to warming it up

@adanalvarez adanalvarez changed the title Send serial console ssh public key New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances Nov 23, 2024
@christophetd christophetd merged commit a912e7f into DataDog:main Nov 28, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christophetd christophetd christophetd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adanalvarez @christophetd