Skip to content

Investigating Persistence Mechanisms in AWS#323

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Investigating_Persistence_Mechanisms_in_AWS_ec41c2f71bbc213e
Open

Investigating Persistence Mechanisms in AWS#323
carlospolop wants to merge 1 commit into
masterfrom
update_Investigating_Persistence_Mechanisms_in_AWS_ec41c2f71bbc213e

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://rapid7.com/blog/post/dr-investigating-aws-persistence-mechanisms
  • Blog Title: Investigating Persistence Mechanisms in AWS
  • Suggested Section: AWS Pentesting > AWS - Persistence, primarily updating AWS - IAM Persistence, AWS - Lambda Persistence, and AWS - STS Persistence; cross-reference AWS - API Gateway Persistence and EventBridge-related persistence or trigger abuse

🎯 Content Summary

Overview

The post describes four AWS persistence mechanisms that abuse legitimate IAM, STS, Lambda, API Gateway, and EventBridge capabilities rather than a CVE. Exploitation requires control of an AWS identity with the relevant API permissions. Depending on that identity's privileges, an attacker can create durable IAM identities, establish cross-account access, deploy a serverless administrator-provisioning backdoor, or retain temporary credentials after defenders rotate the original...

🔧 Technical Details

IAM-user persistence: A principal with iam:CreateUser can create a durable identity, but must make it operational by adding an API key with iam:CreateAccessKey or console credentials with iam:CreateConsoleProfile. Permissions can then be assigned through iam:AttachUserPolicy, iam:PutUserPolicy, or iam:AddUserToGroup. Hunt separately for operations targeting the username and actions performed by that identity, because different compromised principals may create, credential, and authorize the account.


Cross-account role persistence: An identity with iam:CreateRole or iam:UpdateAssumeRolePolicy can add an attacker-controlled AWS account to a role trust policy as an allowed sts:AssumeRole principal. This creates an entry point independent of the original victim credentials. Search trust-policy documents for known external accou...

🤖 Agent Actions

Done.

Updated:

  • src/pentesting-cloud/aws-security/aws-persistence/README.md

Added concise, non-duplicative coverage for:

  • IAM-user persistence operationalization
  • Role trust-policy backdoors
  • Lambda persistence via Function URL, API Gateway, and EventBridge triggers
  • STS GetFederationToken persistence and investigation pivots
  • CloudTrail/LEQL hunting queries
  • Internal links to the existing IAM/Lambda/API Gateway/STS pages
  • ## References with the Rapid7 post and relevant AWS docs

Verification:

  • Checked referenced internal files exist
  • Ran git diff --check successfully
  • Could not run mdbook build because mdbook is not installed in this environment

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 589
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://rapid7.com/blog/post/dr-investigating-aws-persistence-mechanisms

Content Categories: Based on the analysis, this content was categorized under "AWS Pentesting > AWS - Persistence, primarily updating AWS - IAM Persistence, AWS - Lambda Persistence, and AWS - STS Persistence; cross-reference AWS - API Gateway Persistence and EventBridge-related persistence or trigger abuse".

Repository Maintenance:

  • MD Files Formatting: 589 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant