AWS - EC2 Persistence

Reading time: 3 minutes

EC2

For more information check:

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Security Group Connection Tracking Persistence

If a defender finds that an EC2 instance was compromised he will probably try to isolate the network of the machine. He could do this with an explicit Deny NACL (but NACLs affect the entire subnet), or changing the security group not allowing any kind of inbound or outbound traffic.

If the attacker had a reverse shell originated from the machine, even if the SG is modified to not allow inboud or outbound traffic, the connection won't be killed due to Security Group Connection Tracking.

EC2 Lifecycle Manager

This service allow to schedule the creation of AMIs and snapshots and even share them with other accounts.
An attacker could configure the generation of AMIs or snapshots of all the images or all the volumes every week and share them with his account.

Scheduled Instances

It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access.

Spot Fleet Request

Spot instances are cheaper than regular instances. An attacker could launch a small spot fleet request for 5 year (for example), with automatic IP assignment and a user data that sends to the attacker when the spot instance start and the IP address and with a high privileged IAM role.

Backdoor Instances

An attacker could get access to the instances and backdoor them:

• Using a traditional rootkit for example
• Adding a new public SSH key (check EC2 privesc options)
• Backdooring the User Data

Backdoor Launch Configuration

• Backdoor the used AMI
• Backdoor the User Data
• Backdoor the Key Pair

VPN

Create a VPN so the attacker will be able to connect directly through i to the VPC.

VPC Peering

Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.