Skip to content

Commit

Permalink
New attack technique: Persistence through federation (#604)
Browse files Browse the repository at this point in the history
* add persistence sts federation token technique

* add documentation for sts federation token technique

* Cosmetic changes + logging improvements

* Add delay for eventual consistency

* terraform fmt

---------

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
  • Loading branch information
adanalvarez and christophetd authored Dec 4, 2024
1 parent a912e7f commit d57c508
Show file tree
Hide file tree
Showing 8 changed files with 457 additions and 0 deletions.
158 changes: 158 additions & 0 deletions docs/attack-techniques/AWS/aws.persistence.sts-federation-token.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
---
title: Generate temporary AWS credentials using GetFederationToken
---

# Generate temporary AWS credentials using GetFederationToken


<span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span>

Platform: AWS

## MITRE ATT&CK Tactics


- Persistence

## Description


Establishes persistence by generating new AWS temporary credentials through <code>sts:GetFederationToken</code>. The resulting credentials remain functional even if the original access keys are disabled.

<span style="font-variant: small-caps;">Warm-up</span>:

- Create an IAM user and generate a pair of access keys.

<span style="font-variant: small-caps;">Detonation</span>:

- Use the access keys from the IAM user to request temporary security credentials via <code>sts:GetFederationToken</code>.
- Call <code>sts:GetCallerIdentity</code> using these new credentials.

References:

- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
- https://www.crowdstrike.com/en-us/blog/how-adversaries-persist-with-aws-user-federation/
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf


## Instructions

```bash title="Detonate with Stratus Red Team"
stratus detonate aws.persistence.sts-federation-token
```
## Detection


Through CloudTrail's <code>GetFederationToken</code> event.



## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

The following CloudTrail events are generated when this technique is detonated[^1]:


- `sts:GetCallerIdentity`

- `sts:GetFederationToken`


??? "View raw detonation logs"

```json hl_lines="6 51"

[
{
"awsRegion": "ap-isob-east-1r",
"eventCategory": "Management",
"eventID": "6e882b9d-2af8-4c67-b91f-aeac6a0e5e70",
"eventName": "GetFederationToken",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-11-30T08:43:17Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "742491224508",
"requestID": "e2de7fd1-2a86-4837-b15a-96fff1388061",
"requestParameters": {
"name": "stratus_red_team",
"policy": "{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\"Action\": \"*\",\n\t\t\t\t\"Resource\": \"*\"\n\t\t\t}\n\t\t]\n\t}"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIASTJKC5GCM7ZE6LUP",
"expiration": "Nov 30, 2024, 8:43:17 PM",
"sessionToken": "IQoJb3JpZ2luX2VjEOH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDzpomGZAmkp4RIzBo4RqVJGEmUNjyA7lHyt1aKfFh8IwIhANX6aS3XpNU319gOolVjEBkNLRmu9dyO8FqoDW5y+HL4KqICCIr//////////wEQABoMMzQ1NTk0NjA3OTQ5IgykqzjqIZ5pQXZgeDEq9gGg9Law7M5zzj/fSvNlo2pgdgHCmA6UW8IevbwXiKbLO5y0dg/sdhsaEUaOvl6i2Fu+xF2p3dvI8SuCJSTH5PEC2ZRgX1TPhzh+0xN7CsCQG2diBitgDQSs+E3P9ED4xDVuTCE9H8IIS/2BuksBI9bQ3z2itKRkVmkC+xpsfyFc98vX0ZLSUKOIpx+iaDNrhiW85Cyt6ezNEyLfX3bukmmIdVIZQ+Tb4tYLvIRKIyp6OFiA3BL48K7nfIAd1EzDhGnlvkZN/70hDxYt8hTKehNXDs2FVKY5u96z0zhsnNGcuhHHa7OEOKg5lLL5QuEzjx6JA+e9qaQwpaCrugY6mAFp1LZ4E15PVqImPSC/wtr+rEU4Dnp+1/6+PNkbxvxYXfqZOfJxRkZtgWtmV7iWapGzA/pVedD4vuHci4Kq2NUTuyA8L7BeKSaEq0FqFi1yrfCYjYsGI3ncxMQQddgiXVXeoWY4c4auGvAHgiJI/PDQPsaa3Sle/gGnok53u8NfNYoBRtASGaJJtGS0ylDxsQVe9InwBxoJnQ=="
},
"federatedUser": {
"arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team",
"federatedUserId": "742491224508:stratus_red_team"
},
"packedPolicySize": 4
},
"sourceIPAddress": "255.090.254.5",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2",
"userIdentity": {
"accessKeyId": "AKIA6V1GNZTT65XQH36M",
"accountId": "742491224508",
"arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user",
"principalId": "AIDAN7SEM6PEVTNQR8M4",
"type": "IAMUser",
"userName": "stratus-red-team-user-federation-user"
}
},
{
"awsRegion": "ap-isob-east-1r",
"eventCategory": "Management",
"eventID": "91529247-c4c4-4793-afc8-d70bbcfe9d19",
"eventName": "GetCallerIdentity",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-11-30T08:43:18Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "742491224508",
"requestID": "037be419-9e9f-42e0-a38f-2a5d2ae1ce65",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "255.090.254.5",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2",
"userIdentity": {
"accessKeyId": "ASIASTJKC5GCM7ZE6LUP",
"accountId": "742491224508",
"arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team",
"principalId": "742491224508:stratus_red_team",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-30T08:43:17Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "742491224508",
"arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user",
"principalId": "AIDAN7SEM6PEVTNQR8M4",
"type": "IAMUser",
"userName": "stratus-red-team-user-federation-user"
},
"webIdFederationData": {}
},
"type": "FederatedUser"
}
}
]
```

[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
2 changes: 2 additions & 0 deletions docs/attack-techniques/AWS/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT

- [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md)

- [Generate temporary AWS credentials using GetFederationToken](./aws.persistence.sts-federation-token.md)


## Privilege Escalation

Expand Down
1 change: 1 addition & 0 deletions docs/attack-techniques/list.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ This page contains the list of all Stratus Attack Techniques.
| [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
| [Overwrite Lambda Function Code](./AWS/aws.persistence.lambda-overwrite-code.md) | [AWS](./AWS/index.md) | Persistence |
| [Create an IAM Roles Anywhere trust anchor](./AWS/aws.persistence.rolesanywhere-create-trust-anchor.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
| [Generate temporary AWS credentials using GetFederationToken](./AWS/aws.persistence.sts-federation-token.md) | [AWS](./AWS/index.md) | Persistence |
| [Change IAM user password](./AWS/aws.privilege-escalation.iam-update-user-login-profile.md) | [AWS](./AWS/index.md) | Privilege Escalation |
| [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
| [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
Expand Down
91 changes: 91 additions & 0 deletions docs/detonation-logs/aws.persistence.sts-federation-token.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
[
{
"awsRegion": "ap-isob-east-1r",
"eventCategory": "Management",
"eventID": "6e882b9d-2af8-4c67-b91f-aeac6a0e5e70",
"eventName": "GetFederationToken",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-11-30T08:43:17Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "742491224508",
"requestID": "e2de7fd1-2a86-4837-b15a-96fff1388061",
"requestParameters": {
"name": "stratus_red_team",
"policy": "{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\"Action\": \"*\",\n\t\t\t\t\"Resource\": \"*\"\n\t\t\t}\n\t\t]\n\t}"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIASTJKC5GCM7ZE6LUP",
"expiration": "Nov 30, 2024, 8:43:17 PM",
"sessionToken": "IQoJb3JpZ2luX2VjEOH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDzpomGZAmkp4RIzBo4RqVJGEmUNjyA7lHyt1aKfFh8IwIhANX6aS3XpNU319gOolVjEBkNLRmu9dyO8FqoDW5y+HL4KqICCIr//////////wEQABoMMzQ1NTk0NjA3OTQ5IgykqzjqIZ5pQXZgeDEq9gGg9Law7M5zzj/fSvNlo2pgdgHCmA6UW8IevbwXiKbLO5y0dg/sdhsaEUaOvl6i2Fu+xF2p3dvI8SuCJSTH5PEC2ZRgX1TPhzh+0xN7CsCQG2diBitgDQSs+E3P9ED4xDVuTCE9H8IIS/2BuksBI9bQ3z2itKRkVmkC+xpsfyFc98vX0ZLSUKOIpx+iaDNrhiW85Cyt6ezNEyLfX3bukmmIdVIZQ+Tb4tYLvIRKIyp6OFiA3BL48K7nfIAd1EzDhGnlvkZN/70hDxYt8hTKehNXDs2FVKY5u96z0zhsnNGcuhHHa7OEOKg5lLL5QuEzjx6JA+e9qaQwpaCrugY6mAFp1LZ4E15PVqImPSC/wtr+rEU4Dnp+1/6+PNkbxvxYXfqZOfJxRkZtgWtmV7iWapGzA/pVedD4vuHci4Kq2NUTuyA8L7BeKSaEq0FqFi1yrfCYjYsGI3ncxMQQddgiXVXeoWY4c4auGvAHgiJI/PDQPsaa3Sle/gGnok53u8NfNYoBRtASGaJJtGS0ylDxsQVe9InwBxoJnQ=="
},
"federatedUser": {
"arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team",
"federatedUserId": "742491224508:stratus_red_team"
},
"packedPolicySize": 4
},
"sourceIPAddress": "255.090.254.5",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2",
"userIdentity": {
"accessKeyId": "AKIA6V1GNZTT65XQH36M",
"accountId": "742491224508",
"arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user",
"principalId": "AIDAN7SEM6PEVTNQR8M4",
"type": "IAMUser",
"userName": "stratus-red-team-user-federation-user"
}
},
{
"awsRegion": "ap-isob-east-1r",
"eventCategory": "Management",
"eventID": "91529247-c4c4-4793-afc8-d70bbcfe9d19",
"eventName": "GetCallerIdentity",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-11-30T08:43:18Z",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "742491224508",
"requestID": "037be419-9e9f-42e0-a38f-2a5d2ae1ce65",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "255.090.254.5",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2",
"userIdentity": {
"accessKeyId": "ASIASTJKC5GCM7ZE6LUP",
"accountId": "742491224508",
"arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team",
"principalId": "742491224508:stratus_red_team",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-30T08:43:17Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "742491224508",
"arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user",
"principalId": "AIDAN7SEM6PEVTNQR8M4",
"type": "IAMUser",
"userName": "stratus-red-team-user-federation-user"
},
"webIdFederationData": {}
},
"type": "FederatedUser"
}
}
]
7 changes: 7 additions & 0 deletions docs/index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,13 @@ AWS:
- Privilege Escalation
platform: AWS
isIdempotent: false
- id: aws.persistence.sts-federation-token
name: Generate temporary AWS credentials using GetFederationToken
isSlow: false
mitreAttackTactics:
- Persistence
platform: AWS
isIdempotent: true
Privilege Escalation:
- id: aws.execution.ec2-user-data
name: Execute Commands on EC2 Instance via User Data
Expand Down
Loading

0 comments on commit d57c508

Please sign in to comment.