forked from vectra-ai-research/derf
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added console login without mfa attack technique
- Loading branch information
1 parent
6b54757
commit c70fd16
Showing
8 changed files
with
248 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Security Policy | ||
|
||
## Supported Versions | ||
|
||
Use this section to tell people about which versions of your project are | ||
currently being supported with security updates. | ||
|
||
| Version | Supported | | ||
| ------- | ------------------ | | ||
| 2.x | :white_check_mark: | | ||
| 1.x | :x: | | ||
|
||
|
||
## Reporting a Vulnerability | ||
|
||
E-mail [email protected] |
93 changes: 93 additions & 0 deletions
93
attack-techniques/aws/initial-access/console-login-without-mfa/attack.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,97 @@ | ||
data "google_service_account" "workflows-to-cloudrun-sa" { | ||
account_id = "workflows-to-cloudrun-sa" | ||
|
||
} | ||
|
||
resource "google_workflows_workflow" "workflow_to_invoke_aws_console_login_without_mfa_attack" { | ||
name = "aws-console-login-without-mfa-srt" | ||
description = "A workflow intended to match the functionality of the Status Red Team attack technique 'AWS Console Login without MFA': https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa/" | ||
service_account = data.google_service_account.workflows-to-cloudrun-sa.id | ||
project = var.projectId | ||
source_contents = <<-EOF | ||
###################################################################################### | ||
## Attack Description | ||
###################################################################################### | ||
## Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA). | ||
## This workflow inspired by: https://naikordian.github.io/blog/posts/brute-force-aws-console/ | ||
##################################################################################### | ||
## Input | ||
###################################################################################### | ||
### None | ||
###################################################################################### | ||
## User Agent | ||
###################################################################################### | ||
#### Workflow executes with the User-Agent string: "AWS-Console-Login-Without-MFA-WORKFLOWEXECUTIONID" | ||
###################################################################################### | ||
## Main Workflow Execution | ||
###################################################################################### | ||
main: | ||
steps: | ||
- ConsoleLoginWithoutMFA: | ||
call: ConsoleLoginWithoutMFA | ||
result: response | ||
- return: | ||
return: $${response} | ||
###################################################################################### | ||
## Submodules | Sub-Workflows | ||
###################################################################################### | ||
ConsoleLoginWithoutMFA: | ||
steps: | ||
- ConsoleLoginWithoutMFA: | ||
call: http.post | ||
args: | ||
url: 'https://signin.aws.amazon.com/authenticate' | ||
headers: | ||
User-Agent: '"AWS-Console-Login-Without-MFA-"+sys.get_env("GOOGLE_CLOUD_WORKFLOW_EXECUTION_ID")}' | ||
Referer: 'https://signin.aws.amazon.com' | ||
Origin: https://signin.aws.amazon.com | ||
Content-Type: application/x-www-form-urlencoded | ||
Host: signin.aws.amazon.com | ||
body: | ||
action: "iam-user-authentication" | ||
account: "${data.aws_caller_identity.current.account_id}" | ||
username: "${aws_iam_user.console-user.name}" | ||
password: "${aws_iam_user_login_profile.login-profile.password}" | ||
client_id: "arn:aws:signin:::console/canvas" | ||
redirect_uri: "https://console.aws.amazon.com/console/home" | ||
result: response | ||
- handle_result: | ||
switch: | ||
- condition: $${response.code == 200} | ||
next: returnValidation | ||
- condition: $${response.body.properties.result == "MFA"} | ||
next: MFA | ||
- condition: $${response.codee == 400} | ||
next: error | ||
- returnValidation: | ||
return: | ||
- $${response.code} | ||
- $${response.body} | ||
- "SUCCESS - AWS Console Login without MFA" | ||
- MFA: | ||
return: | ||
- $${response.code} | ||
- $${response.body} | ||
- "FAILURE - AWS Console Login without MFA | User had MFA enabled" | ||
- error: | ||
return: | ||
- $${response.code} | ||
- $${response.body} | ||
- "FAILURE - AWS Console Login without MFA" | ||
EOF | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
data "aws_caller_identity" "current" {} | ||
|
||
resource "random_string" "suffix" { | ||
length = 10 | ||
min_lower = 10 | ||
special = false | ||
} | ||
|
||
locals { | ||
resource_prefix = "derf-login-user" | ||
} | ||
|
||
resource "aws_iam_user" "console-user" { | ||
name = "${local.resource_prefix}-${random_string.suffix.result}" | ||
force_destroy = true | ||
} | ||
|
||
// Allows the IAM user to authenticate through the AWS Console | ||
resource "aws_iam_user_login_profile" "login-profile" { | ||
user = aws_iam_user.console-user.name | ||
password_length = 16 | ||
password_reset_required = false | ||
} | ||
|
||
output "account_id" { | ||
value = data.aws_caller_identity.current.account_id | ||
} | ||
|
||
output "username" { | ||
value = aws_iam_user.console-user.name | ||
} | ||
|
||
output "password" { | ||
value = aws_iam_user_login_profile.login-profile.password | ||
} |
49 changes: 49 additions & 0 deletions
49
docs/attack-techniques/aws/aws-console-login-without-mfa.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: Console Login without MFA | ||
--- | ||
|
||
# Console Login without MFA | ||
|
||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Initial Access | ||
|
||
## Description | ||
|
||
|
||
Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA). | ||
|
||
#### Attacker Actions: | ||
|
||
- Logs into the AWS Console with a User that does not have MFA enabled. | ||
- Resulting event name: `ConsoleLogin` | ||
- Assigned IAM Permission: NOne | ||
|
||
#### Workflow Inputs: | ||
# None | ||
|
||
|
||
#### Clean Up: | ||
# None | ||
|
||
## Execution Instructions | ||
|
||
- See User Guide for Execution Instructions via the Google Cloud Console | ||
- Programmatically execute this workflow with the following cli command: | ||
|
||
``` | ||
gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` | ||
``` | ||
|
||
|
||
## Detection Artifacts | ||
|
||
|
||
Using CloudTrail `ConsoleLogin`` event. The field `additionalEventData.MFAUse`r is set to No when the IAM User did not use MFA to log into the console. | ||
|
||
Note that for failed console authentication events, the field userIdentity.arn is not set (see https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-aws-console-sign-in-events-iam-user-failure). | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters