Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances #599

Merged
merged 10 commits into from
Nov 28, 2024
Merged

New attack technique: Usage of SendSerialConsoleSSHPublicKey on multiple instances #599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
59795ee
add ec2-send-serial-console-ssh-public-key technique
adanalvarez Nov 23, 2024
8192b8b
add ec2-send-serial-console-ssh-public-key docs
adanalvarez Nov 23, 2024
da74dd1
fix cloudtrail example
adanalvarez Nov 23, 2024
2b65fe8
keep ec2 serial console access as it was
adanalvarez Nov 23, 2024
60260e1
Sort imports
christophetd Nov 25, 2024
1e1f6d8
Fix potential nil pointer dereference and improve logging
christophetd Nov 25, 2024
287dcce
Move enabling/disabling SendSerielConsoleSSHKey to Terraform
christophetd Nov 25, 2024
6c597bc
Cosmetic improvements and update docs
christophetd Nov 26, 2024
03e629e
Change logic for handling initial serial console enablement
christophetd Nov 26, 2024
c9368e9
Remove unused variable
christophetd Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
277 changes: 277 additions & 0 deletions ...k-techniques/AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,277 @@
---
title: Usage of EC2 Serial Console to push SSH public key
---

# Usage of EC2 Serial Console to push SSH public key

<span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span>
<span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span>

Platform: AWS

## MITRE ATT&CK Tactics


- Lateral Movement

## Description


Simulates an attacker using EC2 Instance Connect to push an SSH public key to multiple EC2 instances, using <code>SendSerialConsoleSSHPublicKey</code>. This allows anyone
with the corresponding private key to connect directly to the systems via SSH, assuming they have appropriate network connectivity.

<span style="font-variant: small-caps;">Warm-up</span>:

- Create multiple EC2 instances and a VPC (takes a few minutes).

<span style="font-variant: small-caps;">Detonation</span>:

- Adds a public SSH key to the EC2 instances using <code>SendSerialConsoleSSHPublicKey</code>.

References:

- https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/


## Instructions

```bash title="Detonate with Stratus Red Team"
stratus detonate aws.lateral-movement.ec2-serial-console-send-ssh-public-key
```
## Detection


Identify, through CloudTrail's <code>SendSerialConsoleSSHPublicKey</code> event, when a user is adding an SSH key to EC2 instances.



## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

The following CloudTrail events are generated when this technique is detonated[^1]:


- `ec2-instance-connect:SendSerialConsoleSSHPublicKey`

- `ec2:EnableSerialConsoleAccess`


??? "View raw detonation logs"

```json hl_lines="6 57 109 161"

[
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "37ba412b-f943-44f2-ae48-4527f6e789d9",
"eventName": "EnableSerialConsoleAccess",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2024-11-26T15:35:22Z",
"eventType": "AwsApiCall",
"eventVersion": "1.10",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "e110338f-cc06-4284-bf16-6528a7df1561",
"requestParameters": {
"EnableSerialConsoleAccessRequest": ""
},
"responseElements": {
"EnableSerialConsoleAccessResponse": {
"requestId": "e110338f-cc06-4284-bf16-6528a7df1561",
"serialConsoleAccessEnabled": true,
"xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/"
}
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "787b2464-f27b-4d4c-91bc-6396f2297d0e",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:23Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "c74b1e77-bc91-4174-b297-d06a71c89abf",
"requestParameters": {
"instanceId": "i-EFCb4e480CAbc4CF9",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "c74b1e77-bc91-4174-b297-d06a71c89abf",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "e49972cb-b394-43e2-aab5-602f1fb56f85",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:23Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
"requestParameters": {
"instanceId": "i-B2ABDCa5b78E0f1dd",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
},
{
"awsRegion": "cniso-east-3r",
"eventCategory": "Management",
"eventID": "f4dc86c9-6b22-4643-a0e8-fcb97fcfae68",
"eventName": "SendSerialConsoleSSHPublicKey",
"eventSource": "ec2-instance-connect.amazonaws.com",
"eventTime": "2024-11-26T15:35:22Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "844015365555",
"requestID": "88c8e41e-7754-4377-983f-140f8ca5617e",
"requestParameters": {
"instanceId": "i-D46eD8FCdefED5aAE",
"monitorMode": false,
"sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
"serialPort": 0
},
"responseElements": {
"requestId": "88c8e41e-7754-4377-983f-140f8ca5617e",
"success": true
},
"sourceIPAddress": "201.252.42.03",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
"userIdentity": {
"accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
"accountId": "844015365555",
"arn": "arn:aws:sts::844015365555:assumed-role/[email protected]",
"principalId": "AROAEMHZD694LU95MUYOP:[email protected]",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-26T15:14:58Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "844015365555",
"arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
"principalId": "AROAEMHZD694LU95MUYOP",
"type": "Role",
"userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}
]
```

[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
2 changes: 2 additions & 0 deletions docs/attack-techniques/AWS/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT

## Lateral Movement

- [Usage of EC2 Serial Console to push SSH public key](./aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md)

- [Usage of EC2 Instance Connect on multiple instances](./aws.lateral-movement.ec2-instance-connect.md)


Expand Down
1 change: 1 addition & 0 deletions docs/attack-techniques/list.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ This page contains the list of all Stratus Attack Techniques.
| [S3 Ransomware through client-side encryption](./AWS/aws.impact.s3-ransomware-client-side-encryption.md) | [AWS](./AWS/index.md) | Impact |
| [S3 Ransomware through individual file deletion](./AWS/aws.impact.s3-ransomware-individual-deletion.md) | [AWS](./AWS/index.md) | Impact |
| [Console Login without MFA](./AWS/aws.initial-access.console-login-without-mfa.md) | [AWS](./AWS/index.md) | Initial Access |
| [Usage of EC2 Serial Console to push SSH public key](./AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) | [AWS](./AWS/index.md) | Lateral Movement |
| [Usage of EC2 Instance Connect on multiple instances](./AWS/aws.lateral-movement.ec2-instance-connect.md) | [AWS](./AWS/index.md) | Lateral Movement |
| [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
| [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
Expand Down
Loading
Loading