Everything ~ Cloud Security

Lab 3: Attacking the Cloud Account

Lab 3: Attacking the Cloud Account

Goodycyb's photo
Goodycyb
·

3 min read

Table of contents

Lab Objective

  • You will act as an attacker in the following ways to generate log data, which will help build your detection and automation:

Challenge 1: Perform ATT&CK Technique T1619 (Cloud Storage Object Discovery)

Using either the AWS Management Console or the AWS CLI to perform reconnaissance (discovery) of the S3 buckets in the AWS Account. You will find out that one file contains some interesting data that an attacker may be tempted to download.

Assuming the Attacker is using the AWS Management Console.

  • He/she will navigate to the storage service (Amazon S3) console, and among the S3 buckets, the bucket name databackup - 18119*****53 looks interesting to view.

  • On clicking on the Bucket name databackup - 18********53 , the object within the bucket password-backup.txt looks enticing because it might contain secret passphrases to accounts that the attacker can use for malicious purposes.

Assuming the Attacker is using AWS CLI to perform reconnaissance

  • Navigate to AWS CloudShell and run the command to view the list of S3 buckets in the AWS Account.
aws s3api list-buckets

press q to exit.

  • From the listed buckets cloudlogs-$AcctNum and databackup-$AcctNum . To check the contents within the buckets for databackup-$AcctNum which looks interesting to view, run the command.
BUCKET=$(aws s3api list-buckets | jq -r \
  '.Buckets[] | select(.Name | startswith("databackup-")) | .Name')
aws s3 ls s3://$BUCKET/

To view the content (object) for cloudlogs-$AcctNum , replace databackup- with cloudlogs- In the above code

Challenge 2: Perform ATT&CK Technique T1530 (Data from Cloud Storage)

Having discovered compelling content within the databackup-$AcctNum bucket, the attacker will attempt to download the files. This mirrors the attack approach used by the threat group Fox Kitten to exfiltrate files from targeted cloud storage instances.

The attacker might download the files either via the AWS management console or AWS CLI

Assuming the Attacker is using AWS CLI

The attacker can use aws s3 cp or aws s3 sync operations to download data from the S3 bucket.

  • Use the cp command to copy the txt file to the home directory
# Command to Copy file to home directory
aws s3 cp s3://$BUCKET/password-backup.txt /home/cloudshell-user/password-backup.txt

  • Use the command ls to list content in the current working directory.

  • Use the sync command to download the Txt file to the home directory.
#Command to download file to home directory
aws s3 sync s3://$BUCKET/password-backup.txt /home/cloudshell-user/password-backup.txt

Great job! You've successfully simulated an attacker's actions of discovering a file they're interested in, downloading it, and then examining its contents.

Having successfully located and retrieved the honey file, the upcoming exercise will delve into methods for recognizing this access.

Did you find this article valuable?

Support Goodycyb by becoming a sponsor. Any amount is appreciated!

AWSaws cliAWS s3HoneypotAWS Community Builder