AWS Cloud Detection Lab II: Emulation of APT attacks with Stratus Red Team tool
In the previous blog post, ‘Cloud Pen-testing with Stratus Red Team tool,’ we discussed the concept and installation guide for the Stratus Red Team tool. We explained how defenders can better utilize this tool to understand and combat real-world adversaries.
This blog post covers how to perform simulations of different APT attack techniques using Stratus Red Team and then using Amazon Athena’s SQL logic to analyze CloudTrail logs to identify the progression of APT activities.
Case-Scenario ☸️
During the emulation assessment of Huge Logistics’ AWS environment, they provided us with an IAM User Programmatic Access Key that has Administrator Access Permission to their AWS security-testing sandbox account. To ensure effective threat detection of APT attack techniques in their environment, we first requested that CloudTrail Logs be enabled and then used the Amazon Athena service to write SQL detection logic for identifying APT activities.
- Navigate to the CloudTrail service (give it a name) and Create a Quick Trail.
- The IAM User Access key was given to us by the Security Team with Programmatic access keys.
Create an IAM User with Programmatic Access Only. Then, Configure the Access Key on AWS CLI
Configure the Access key on AWS CLI: Check this walkthough to setup yours
APT Attack Emulation on Huge Logistics AWS Account
The following stratus command when executed mimics the APT technique on the AWS
- The command
stratus detonate aws.persistence.iam-create-admin-userto create an IAM user with AdmintratorAccess
- The command stratus detonate aws.persistence.iam-backdoor-role creates an Access key for an IAM User.
- The command stratus detonate aws.persistence.iam-backdoor-role creates a backdoor IAM role for an attacker to assume and maintain persistence to the AWS account.
- The command stratus detonates aws.execution.ec2-launch-unusual-instances attempts launch of several unusual EC2 instances e.g (p2.xlarge).
- The command stratus detonate aws.exfiltration.ec2-share-ebs-snapshot exfiltrate EBS snapshot with an external account.
- The command stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress opens ingress traffic on port 22 from the Internet (0.0.0.0/0).
- The command stratus detonate aws.defense-evasion.cloudtrail-stop Stops a CloudTrail Trail from logging.
- The command stratus detonate aws.defense-evasion.cloudtrail-delete Delete a CloudTrail trail.
Stop CloudTrail
- Navigate to the CloudTrail for “Huge-Logistics-Management-Events” and click on the Stop Logging button to pause logging to the S3 bucket.
Clean Up all attack techniques
- Run the command stratus status to view the techniques that were Detonated (Executed)
- Run the command stratus cleanup — all to clean up all techniques executed in the Huge-Logistics AWS live environment.
Analyzing CloudTrail Logs For APT activities ⚖️🕵️♂️
Next, we will use Amazon Athena Service to analyze CloudTrail Logs to Understand APT attack phases using MITRE Attack Security Framework.
- Navigate to Amazon Athena Service ⇒ Click on the “Explore the query editor” button.
- On the Query Editor page, Click on the “Edit Settings” button
- On the Manage settings page, click the “Browse S3” button and select the location where CloudTrail logs are stored in the S3 bucket.
- Then click the Save button
Create Athena table for a CloudTrail trail 🚀🪵
- Copy and Paste the Code below into the Query editor and Click on the Run Button to create a table from the CloudTrail Logs.
Replace the last line of the code below with your bucket details.
LOCATION s3://CloudTrail_bucket_name/AWSLogs/Account_ID/CloudTrail/';CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
type:STRING,
principalid:STRING,
arn:STRING,
accountid:STRING,
invokedby:STRING,
accesskeyid:STRING,
userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
mfaauthenticated:STRING,
creationdate:STRING>,
sessionissuer:STRUCT<
type:STRING,
principalId:STRING,
arn:STRING,
accountId:STRING,
userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
ARN:STRING,
accountId:STRING,
type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
ROW FORMAT SERDE 'org.apache.hive.hcatalog.data.JsonSerDe'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://aws-cloudtrail-logs-11*********6-85c87db6/AWSLogs/11*********6/CloudTrail/';Change the Last line of the Code (LOCATION) to your S3 CloudTrail Path.⬆️⬆️🆙 before running the above code.
Overview of dataset
- Run the SQL code to view the dataset generated in CloudTrail in a specific region.
select *
from cloudtrail_logs
WHERE awsregion = 'eu-west-1';
Investigation of APT activities 🧬🔀🔍🔎
- Run the SQL code to identify the IAM user created with Admin Access
WITH CreateUserEvents AS (
SELECT
eventTime,
eventName,
userIdentity.arn AS userArn,
json_extract_scalar(requestParameters, '$.userName') AS createdUserName
FROM cloudtrail_logs
WHERE eventName = 'CreateUser'
),
AttachPolicyEvents AS (
SELECT
eventTime,
eventName,
json_extract_scalar(requestParameters, '$.userName') AS attachedUserName,
json_extract_scalar(requestParameters, '$.policyArn') AS policyArn
FROM cloudtrail_logs
WHERE eventName = 'AttachUserPolicy'
AND json_extract_scalar(requestParameters, '$.policyArn') LIKE '%AdministratorAccess%'
)
SELECT
c.userArn,
c.createdUserName,
a.policyArn,
c.eventTime AS createTime,
a.eventTime AS attachTime
FROM CreateUserEvents c
JOIN AttachPolicyEvents a ON c.createdUserName = a.attachedUserName
- Run the SQL Code to Identify the creation of an Access key for an IAM User.
SELECT
eventtime,
eventsource,
eventname,
useridentity.arn AS user_arn,
useridentity.userName AS user_name,
sourceipaddress,
useragent
FROM cloudtrail_logs
WHERE eventname = 'CreateAccessKey'
ORDER BY eventtime DESC;
- Run the SQL Code to Identify Threat actor creation of a Backdoor IAM Role
SELECT
eventTime,
eventName,
userIdentity.arn AS userArn,
userIdentity.userName AS userName,
json_extract_scalar(requestParameters, '$.roleName') AS roleName,
json_extract_scalar(requestParameters, '$.policyDocument') AS updatedPolicyDocument,
sourceIPAddress,
userAgent
FROM cloudtrail_logs
WHERE eventName = 'UpdateAssumeRolePolicy'
ORDER BY eventTime DESC;
- Run the SQL Code to Identify Attempts to Launch Unusual EC2 instances
SELECT
eventTime,
eventName,
eventSource,
userIdentity.accountId AS accountId,
userIdentity.userName AS userName,
json_extract_scalar(requestParameters, '$.instanceType') AS attemptedInstanceType,
errorCode,
errorMessage,
sourceIPAddress,
userAgent
FROM
cloudtrail_logs
WHERE
eventName = 'RunInstances'
AND eventSource = 'ec2.amazonaws.com'
AND errorCode = 'Client.UnauthorizedOperation'
ORDER BY
eventTime DESC;
- Run the SQL Code to Identify exfiltration of EBS Snapshot by Sharing with an external account.
SELECT
eventTime,
eventName,
userIdentity.accountId AS attackerAccountId,
recipientAccountId AS victimAccountId,
json_extract_scalar(requestParameters, '$.snapshotId') AS snapshotId,
CASE
WHEN json_extract_scalar(requestParameters, '$.createVolumePermission.add.items[0].group') = 'all' THEN 'Public'
WHEN json_extract_scalar(requestParameters, '$.createVolumePermission.add.items[0].userId') IS NOT NULL THEN 'Shared with Specific Account'
ELSE 'Unknown Modification'
END AS shareType,
sourceIPAddress,
userAgent
FROM cloudtrail_logs
WHERE eventName = 'ModifySnapshotAttribute'
AND (
json_extract_scalar(requestParameters, '$.createVolumePermission.add.items[0].group') = 'all'
OR json_extract_scalar(requestParameters, '$.createVolumePermission.add.items[0].userId') IS NOT NULL
)
ORDER BY eventTime DESC;
- Run the SQL Code to Identify Open Ingress Port 22 on a Security Group
SELECT
eventTime,
eventName,
useridentity.accountId AS accountId,
useridentity.username AS userName,
json_extract_scalar(json_parse(requestparameters), '$.groupId') AS groupId,
'tcp' AS ipProtocol,
CAST(json_extract_scalar(json_parse(requestparameters), '$.fromPort') AS INTEGER) AS fromPort,
CAST(json_extract_scalar(json_parse(requestparameters), '$.toPort') AS INTEGER) AS toPort,
json_extract_scalar(json_parse(requestparameters), '$.cidrIp') AS cidrIp,
sourceIPAddress,
userAgent
FROM
cloudtrail_logs
WHERE
eventName = 'AuthorizeSecurityGroupIngress'
AND (
CAST(json_extract_scalar(json_parse(requestparameters), '$.fromPort') AS INTEGER) = 22
OR CAST(json_extract_scalar(json_parse(requestparameters), '$.toPort') AS INTEGER) = 22
)
AND json_extract_scalar(json_parse(requestparameters), '$.cidrIp') = '0.0.0.0/0'
ORDER BY
eventTime DESC;
- Run the SQL Code to identify the event where logging was disabled.
SELECT
eventTime,
eventName,
userIdentity.accountId AS accountId,
userIdentity.userName AS userName,
sourceIPAddress,
userAgent,
requestParameters,
responseElements,
awsRegion
FROM
cloudtrail_logs
WHERE
eventName = 'StopLogging'
ORDER BY
eventTime DESC;
- Run the SQL Code to identify the deletion of CloudTrail trails.
SELECT
eventTime,
eventName,
userIdentity.accountId AS accountId,
userIdentity.userName AS userName,
sourceIPAddress,
userAgent,
requestParameters AS trailDetails,
awsRegion
FROM
cloudtrail_logs
WHERE
eventName = 'DeleteTrail'
ORDER BY
eventTime DESC;
Mapping APT to MITRE ATT&CK
The emulation assessment conducted on Huge Logistics’ AWS sandbox account demonstrates how Advanced Persistent Threat (APT) actors employ various techniques to compromise their targets.
The table below illustrates the mapping of the emulation attack scenarios performed to the MITRE ATT&CK Cloud Matrix, which enables security teams to enhance their detection and response capabilities.
Cloud Matrix categorizes various attack methodologies, making it easier for security teams to tailor their defenses to the unique challenges of securing cloud resources.
The above Mapping reveals that the tactics of ‘Persistence’ and ‘Privilege Escalation’ are commonly used early in an attack by APT actors, often involving the establishment of an administrative IAM user and access key.
Additionally, ‘Exfiltration’ frequently occurs during the stages of privilege escalation and defense evasion, particularly through the sharing of EBS snapshots. Furthermore, the tactics of ‘Defense Evasion’ specifically the stopping and deletion of CloudTrail trails were observed during the impact phase of the attacks. These observations suggest that APT actors often seek to secure and escalate privileges at the onset of their attacks, maintain persistence, and evade detection.
Conclusion
Organizations and cyber-defenders should adopt the MITRE ATT&CK Cloud Matrix Framework to understand Advanced Persistent Threats (APTs) more effectively and develop stronger defense mechanisms. This framework serves as a comprehensive guide for recognizing and responding to tactics, techniques, and procedures (TTPs) employed by attackers in cloud environments.
By integrating the MITRE ATT&CK Cloud Matrix into their security strategies, cyber-defenders, and the organization’s security team can gain insights into specific attack vectors and potential vulnerabilities within cloud services and infrastructure. This approach not only helps in identifying real-time threats but also in anticipating future attacks based on observed patterns.
