Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information check:
If a defender finds that an EC2 instance was compromised he will probably try to isolate the network of the machine. He could do this with an explicit Deny NACL (but NACLs affect the entire subnet), or changing the security group not allowing any kind of inbound or outbound traffic.
If the attacker had a reverse shell originated from the machine, even if the SG is modified to not allow inbound or outbound traffic, the connection won't be killed due to Security Group Connection Tracking.
This service allow to schedule the creation of AMIs and snapshots and even share them with other accounts. An attacker could configure the generation of AMIs or snapshots of all the images or all the volumes every week and share them with his account.
It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.
Spot instances are cheaper than regular instances. An attacker could launch a small spot fleet request for 5 year (for example), with automatic IP assignment and a user data that sends to the attacker when the spot instance start and the IP address and with a high privileged IAM role.
An attacker could get access to the instances and backdoor them:
Using a traditional rootkit for example
Adding a new public SSH key (check EC2 privesc options)
Backdooring the User Data
Backdoor the used AMI
Backdoor the User Data
Backdoor the Key Pair
Create a VPN so the attacker will be able to connect directly through it to the VPC.
Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
