Hello Reader,
This week the real question is, can anyone stop Ilya Kobzar's winning streak? Here again is he back with another winning answer and some very thorough research all about what happens when credentials are taken via IMDS on AWS.
The Challenge:
AWS
IAM Roles are often targeted by threat actors after they get access to a
running virtual machine. While AWS IMDS v2 may prevent some attacks the
functionality is still there and is being actively exploited to get
credentials and act as a service or role. In this challenge I want you
to try the following and document what logs are left that could be used
to detect or determine these actions occurred.
1. Retrieve a temporary AWS access key credential from IMDS v1
2. Retrieve a temporary AWS access key credential from IMDS v2
3. Use the temporary access key within an AWS vm
4. Use the temporary access key from outside of AWS
From all four scenarios determine what logs are created.
bonus: Try and document other scenarios of theft and use and additional sources of evidence.
The winning answer:
https://www.ilyakobzar.com/p/ec2-iam-role-sts-credentials-compromise