From 7b10ba1c08245f953a3da3de5d7434a91cb2c25b Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 5 Dec 2019 19:03:29 +0100 Subject: [PATCH] Enhanced exfiltrate-ec2.py a bit more --- clouds/aws/evaluate-iam-role.sh | 41 +++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/clouds/aws/evaluate-iam-role.sh b/clouds/aws/evaluate-iam-role.sh index 821c6a2..49fbd95 100755 --- a/clouds/aws/evaluate-iam-role.sh +++ b/clouds/aws/evaluate-iam-role.sh @@ -8,6 +8,29 @@ fi PROFILE=$1 ROLE_NAME=$2 +known_potentially_dangerous_permissions=( + ".*:\*" + ".*:.*Attach.*" + ".*:.*Create.*" + ".*:.*Delete.*" + ".*:.*Reboot.*" + ".*:.*Command.*" + ".*:.*Run.*" + ".*:.*Send.*" + ".*:.*Batch.*" + ".*:.*Set.*" + ".*:.*Invoke.*" + ".*:.*Add.*" + ".*:.*Execute.*" + ".*:.*Start.*" + ".*:.*Modify.*" + ".*:.*Register.*" + ".*:.*Replace.*" + ".*:.*Change.*" + ".*:.*Update.*" + ".*:.*Put.*" +) + known_dangerous_permissions=( "*:*" "iam:CreatePolicyVersion" @@ -47,6 +70,7 @@ IFS=$'\n' attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $ROLE_NAME | jq -r '.AttachedPolicies[].PolicyArn')) dangerous_permissions=() +potentially_dangerous_permissions=() all_perms=() for policy in "${attached_role_policies[@]}" ; do @@ -64,8 +88,11 @@ for policy in "${attached_role_policies[@]}" ; do for dangperm in "${known_dangerous_permissions[@]}"; do if echo "$dangperm" | grep -iq $perm ; then dangerous_permissions+=("$perm") - elif echo "$perm" | grep -qP "\w+:\*"; then - dangerous_permissions+=("$perm") + fi + done + for dangperm in "${known_potentially_dangerous_permissions[@]}"; do + if echo "$perm" | grep -Piq "$dangperm" ; then + potentially_dangerous_permissions+=("$perm") fi done done @@ -78,6 +105,16 @@ if [[ ${#all_perms[@]} -gt 0 ]]; then echo -e "\t$perm" done + if [[ ${#potentially_dangerous_permissions[@]} -gt 0 ]]; then + echo -e "\n\n=============== Detected POTENTIALLY dangerous permissions granted ===============" + sorted=($(echo "${potentially_dangerous_permissions[@]}" | tr ' ' '\n' | sort -u )) + for dangperm in "${sorted[@]}"; do + echo -e "\t$dangperm" + done + else + echo -e "\nNo potentially dangerous permissions were found to be granted." + fi + if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then echo -e "\n\n=============== Detected dangerous permissions granted ===============" sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u ))