Skip to content

T1648 #3037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 8 commits into from
Closed

T1648 #3037

wants to merge 8 commits into from

Conversation

ryananicholson
Copy link
Contributor

Details:

Created a new attack for T1648 for AWS. The process that is mimicked is:

  • Attacker has access to credentials with lambda:UpdateFunctionCode and lambda:InvokeFunction rights or the equivalent
  • Function has an overly-permissive IAM role
  • Function code is altered to create a backdoor IAM user account

Testing:

Executed the atomic test with the following command:

Invoke-AtomicTest -AtomicTechnique T1648 -InputArgs @{profile="default"; region="us-east-2"} -PathToAtomicsFolder ./atomics
image

To cleanup, I ran the following:

Invoke-AtomicTest -AtomicTechnique T1648 -InputArgs @{profile="default"; region="us-east-2"} -PathToAtomicsFolder ./atomics -Cleanup
image

Associated Issues:

No issues corrected with this PR.

@github-actions github-actions bot added the cloud label Jan 19, 2025
@ryananicholson
Copy link
Contributor Author

Please remove this PR... VSCode is fighting me and adding unrelated content. Will start again with a fresh PR

@ryananicholson ryananicholson deleted the T1648 branch January 19, 2025 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@patel-bhavin patel-bhavin

Labels
30 min review cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ryananicholson @patel-bhavin @clr2of8