Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Level Up Your Lab Envs!

TweekFawkes
November 03, 2022
Technology
0
180

Level Up Your Lab Envs!

Research presented at DC 435 in Utah on November 3rd, 2022

Session Name: "Level Up Your Lab Envs!"

How to setup a cybersecurity and/or penetration testing lab in Cloud (AWS, Azure, GCP, etc.) to learn how to escalate privileges via various pentest techniques.

TweekFawkes

November 03, 2022
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
78
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.4k
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
210
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
110
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
160
The Future?!
tweekfawkes
0
140
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
230
UVU - Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
210

Other Decks in Technology

See All in Technology
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
920
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.5k
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.1k
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
1
150
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
250
JAWS-UG Bedrock Claude Night
yamahiro
3
600
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
300
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.4k
反実仮想機械学習とは何か
usaito
PRO
11
4.6k

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Facilitating Awesome Meetings
lara
42
5.6k
Gamification - CAS2011
davidbonilla
76
4.6k
Side Projects
sachag
451
41k
Into the Great Unknown - MozCon
thekraken
10
990
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Six Lessons from altMBA
skipperchong
21
3k
Raft: Consensus for Rubyists
vanstee
132
6.3k

Transcript

  1. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Outplay Your Adversary! Bryce Kunz // @TweekFawkes

  2. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Level Up Your Lab Envs! Bryce Kunz // @TweekFawkes

  3. Copyright 2022 by Stage 2 Security https:// .Security Bryce Kunz

    @TweekFawkes - Cloud Lab Envs Agenda

  4. Copyright 2022 by Stage 2 Security https:// .Security Defense DHS

    SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

  5. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Dec. 16th 2022! Sandy UT Conference Center at Miller Campus https://BSidesSLC.org

  6. Copyright 2022 by Stage 2 Security https:// .Security Cloud Lab

    Envs Overview

  7. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

    • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

  8. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

    • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

  9. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    • https://cloud.hacktricks.xyz/pentesting-cloud/aws-security • https://github.com/BishopFox/iam-vulnerable • https://github.com/RhinoSecurityLabs/cloudgoat • https://github.com/bridgecrewio/terragoat • https://github.com/nccgroup/sadcloud • https://hackingthe.cloud/aws/capture_the_flag/cicdont • https://github.com/ine-labs/AWSGoat Vulnerable Lab Environments CloudGoat

  10. Copyright 2022 by Stage 2 Security https:// .Security TL;DR: •

    Focused on AWS’s IAM Service ◦ Identity and Access Management (IAM) • Deploys via Terraform • 31 Privilege Escalation Paths • GitHub Links to Solutions • Great for Testing GraphDB Tools (e.g. AWSpx, PMapper, etc.) • REF: https://github.com/BishopFox/iam-vulnerable Iam Vulnerable

  11. Copyright 2022 by Stage 2 Security https:// .Security CloudGoat TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 12 Scenarios • Solutions are easily Google-able • Great for Reference or Testing Specific Technique/Tools (e.g. Pacu) • REF: https://github.com/RhinoSecurityLabs/cloudgoat CloudGoat

  12. Copyright 2022 by Stage 2 Security https:// .Security SadCloud TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 84 Misconfigurations • Great for Testing Cloud Vuln Scan Tools (e.g. ScoutSuite) • REF: https://github.com/nccgroup/sadcloud

  13. Copyright 2022 by Stage 2 Security https:// .Security AzureGoat TL;DR:

    • Focused on Azure • REF: https://github.com/ine-labs/AzureGoat

  14. Copyright 2022 by Stage 2 Security https:// .Security GCPGoat TL;DR:

    • Focused on GCP • Good for 101 Basics… Needs More Complex Scenarios • REF: https://gcpgoat.joshuajebaraj.com/

  15. Copyright 2022 by Stage 2 Security https:// .Security Others REFs

    • https://hackingthe.cloud/aws/capture_the_flag/cicdont/ • https://github.com/nccgroup/sadcloud • https://github.com/bridgecrewio/terragoat • https://github.com/ine-labs/AWSGoat • http://flaws.cloud/ • http://flaws2.cloud/

  16. Copyright 2022 by Stage 2 Security https:// .Security Tools &

    Techniques Overview

  17. Copyright 2022 by Stage 2 Security https:// .Security Guides •

    https://cloud.hacktricks.xyz/pentesting-cloud/ • https://pentestbook.six2dez.com/enumeration/cloud/ • https://github.com/dafthack/CloudPentestCheatsheets • PayloadsAllTheThings: ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20AWS%20Pentest.md ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20Azure%20Pentest.md • https://github.com/vengatesh-nagarajan/Cloud-pentest • https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest • https://github.com/kh4sh3i/cloud-penetration-testing

  18. Copyright 2022 by Stage 2 Security https:// .Security … Visualization

    Tools • https://github.com/nccgroup/PMapper • https://github.com/Azure/Stormspotter • https://github.com/duo-labs/cloudmapper • https://github.com/WithSecureLabs/awspx • https://github.com/SygniaLabs/security-cloud-scout • https://github.com/BloodHoundAD/BloodHound • https://pentestbook.six2dez.com/enumeration/cloud/azure Steps: 1. Collection 2. Processing 3. Analysis

  19. Copyright 2022 by Stage 2 Security https:// .Security Tailored Collection

    & Processing + Neo4j GraphDB Aws Cloud Capability Tool (ACCT)

  20. Copyright 2022 by Stage 2 Security https:// .Security Walkthrough Overview

  21. Copyright 2022 by Stage 2 Security https:// .Security Why Graph

    DBs?

  22. Copyright 2022 by Stage 2 Security https:// .Security … Quickly

    Find Priv Esc Paths

  23. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

  24. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

  25. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

  26. Copyright 2022 by Stage 2 Security https:// .Security But How

    Are All Those Lines Useful?

  27. Copyright 2022 by Stage 2 Security https:// .Security

  28. Copyright 2022 by Stage 2 Security https:// .Security IAM Roles

  29. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets

  30. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets Blocked! Requires… Action rds:Describe*

  31. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

  32. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

  33. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

  34. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

  35. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & IAM Roles

  36. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users, IAM Roles, & AWS Services Relational Database Service (RDS) DB Cluster Secrets

  37. Copyright 2022 by Stage 2 Security https:// .Security iam:PassRole

  38. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets

  39. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets Blocked! Requires… Action s3:Get*

  40. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Identity and Access Management (IAM)

  41. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro

  42. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Blocked! Requires… Action iam:PassRole*

  43. Copyright 2022 by Stage 2 Security https:// .Security Create a

    Policy Allowing Pass Role Instances

  44. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro New Policy pass-ec2-s3-ro

  45. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia S3 Bucket Policies & S3 ACLs S3 AWS EC2 Instances App Objects Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs S3 Bucket

  46. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 S3 Bucket Policies S3 ACLs

  47. Copyright 2022 by Stage 2 Security https:// .Security S3 AWS

    Account Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs

  48. Copyright 2022 by Stage 2 Security https:// .Security Scott P.

    Shout Out! …

  49. Copyright 2022 by Stage 2 Security https:// .Security Basic Priv

    Esc Example via Graph DB

  50. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

  51. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

  52. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

  53. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    Policy with * Permissions!

  54. Copyright 2022 by Stage 2 Security https:// .Security … Role

    w/ Trust Policy allowing EC2

  55. Copyright 2022 by Stage 2 Security https:// .Security … Instance

    Profile to Role

  56. Copyright 2022 by Stage 2 Security https:// .Security … iam:PasRole

    Permissions within Policy

  57. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    User with Permissions Policy

  58. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  59. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  60. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  61. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  62. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  63. Copyright 2022 by Stage 2 Security https:// .Security Create New

    EC2 Instance w/ Role Attached Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM

  64. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  65. Copyright 2022 by Stage 2 Security https:// .Security Get Access

    To EC2 Instance via Connect Back to NC Instance Role Temporary Credentials Policies Instance Profile User Data Launch Script Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

  66. Copyright 2022 by Stage 2 Security https:// .Security C2 via

    NetCat Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets C2 Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

  67. Copyright 2022 by Stage 2 Security https:// .Security …

  68. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  69. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 To Collect Creds! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  70. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  71. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Configure aws cli Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  72. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  73. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Reuse Creds for S3 Access! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  74. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  75. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors

  76. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources

  77. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc…

  78. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc…

  79. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole

  80. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole PassRole Policies iam:PassRole + Processing Data

  81. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs

  82. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

  83. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

  84. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role AWS Services Numerous… e.g. w/ a Role

  85. Copyright 2022 by Stage 2 Security https:// .Security Trainings @

    BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

  86. Copyright 2022 by Stage 2 Security https:// .Security End Overview