Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added note about a niche credential exfiltration GuardDuty bypass #115

Merged
merged 1 commit into from
Jan 23, 2022
Merged

Added note about a niche credential exfiltration GuardDuty bypass #115

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion content/aws/avoiding-detection/steal-keys-undetected.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,7 @@ On January 20th 2022, AWS released a new GuardDuty finding called [UnauthorizedA

However, there is currently a functioning bypass for this - [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html). Using VPC Endpoints will not trigger the GuardDuty alert. What this means is that, as an attacker, `if you steal IAM credentials from an EC2 instance, you can use those credentials from your own EC2 instance while routing traffic through VPC Endpoints. This will not trigger the GuardDuty finding`.

To make this setup faster (and easier) for Penetration Testers and Red Teamers, [SneakyEndpoints](https://github.com/Frichetten/SneakyEndpoints) was created. This project has all the Terraform configurations necessary to spin up an environment to attack from. It will create an EC2 instance in a private subnet (no internet access) and create a number of VPC Endpoints for you to use. This setup ensures we don't accidentally expose ourselves and trigger the alert.
To make this setup faster (and easier) for Penetration Testers and Red Teamers, [SneakyEndpoints](https://github.com/Frichetten/SneakyEndpoints) was created. This project has all the Terraform configurations necessary to spin up an environment to attack from. It will create an EC2 instance in a private subnet (no internet access) and create a number of VPC Endpoints for you to use. This setup ensures we don't accidentally expose ourselves and trigger the alert.

!!! Note
There is another bypass option, however, it would only be useful in niche scenarios. The InstanceCredentialExfiltration finding is only tied to the AWS account, not the EC2 instance. As a result, if you compromise an EC2 instance in the target account and then compromise OTHER EC2 instances in the account, or steal their IAM credentials, you can safely use them from the initially compromised instance without fear of triggering GuardDuty.