AWS: Dump secrets through Secret Manager's new BatchGetSecretValue (#434

)
DataDog · Nov 27, 2023 · 790feb6 · 790feb6
1 parent 39e6b46
commit 790feb6
Show file tree

Hide file tree

Showing 9 changed files with 361 additions and 41 deletions.
diff --git a/...k-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md b/...k-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
@@ -0,0 +1,98 @@
+---
+title: Retrieve a High Number of Secrets Manager secrets (Batch)
+---
+
+# Retrieve a High Number of Secrets Manager secrets (Batch)
+
+
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Credential Access
+
+## Description
+
+
+Retrieves a high number of Secrets Manager secrets by batch, through <code>secretsmanager:BatchGetSecretValue</code> (released Novemeber 2023). 
+An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.
+
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create multiple secrets in Secrets Manager.
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Dump all secrets by batch of 10, using <code>secretsmanager:BatchGetSecretValue</code>.
+
+References:
+
+- https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets
+```
+## Detection
+
+
+Identify principals that attempt to retrieve secrets by batch, through CloudTrail's <code>BatchGetSecretValue</code> event. Sample event:
+
+```json
+{
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventName": "BatchGetSecretValue",
+  "requestParameters": {
+    "filters": [
+      {
+        "key": "tag-key",
+        "values": [
+          "StratusRedTeam"
+        ]
+      }
+    ]
+  },
+  "responseElements": null,
+  "readOnly": true,
+  "eventType": "AwsApiCall",
+  "managementEvent": true,
+  "recipientAccountId": "012345678901"
+}
+```
+
+Although <code>BatchGetSecretValue</code> requires a list of secret IDs or a filter, an attacker may use a catch-all filter to retrieve all secrets by batch:
+
+```json hl_lines="6-11"
+{
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventName": "BatchGetSecretValue",
+  "requestParameters": {
+    "filters": [
+      {
+        "key": "tag-key",
+        "values": [
+          "!tagKeyThatWillNeverExist"
+        ]
+      }
+    ]
+  },
+  "responseElements": null,
+  "readOnly": true,
+  "eventType": "AwsApiCall",
+  "managementEvent": true,
+  "recipientAccountId": "012345678901"
+}
+```
+
+The following may be use to tune the detection, or validate findings:
+
+- Principals who do not usually call GetBatchSecretValue
+- Attempts to call GetBatchSecretValue resulting in access denied errors
+- Principals calling GetBatchSecretValue in several regions in a short period of time
+
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -10,6 +10,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md)
 
+- [Retrieve a High Number of Secrets Manager secrets (Batch)](./aws.credential-access.secretsmanager-batch-retrieve-secrets.md)
+
 - [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md)
 
 - [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md)
@@ -83,12 +85,12 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md)
 
+- [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md)
+
 - [Overwrite Lambda Function Code](./aws.persistence.lambda-overwrite-code.md)
 
 - [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md)
 
-- [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md)
-
 
 ## Privilege Escalation
 
@@ -100,7 +102,7 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
 
-- [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md)
-
 - [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md)
 
+- [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md)
+
diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -11,6 +11,7 @@ This page contains the list of all Stratus Attack Techniques.
 | :----: | :------: | :------------------: |
 | [Retrieve EC2 Password Data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-steal-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Retrieve a High Number of Secrets Manager secrets (Batch)](./AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Delete CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-delete.md) | [AWS](./AWS/index.md) | Defense Evasion |
@@ -37,9 +38,9 @@ This page contains the list of all Stratus Attack Techniques.
 | [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence |
+| [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Overwrite Lambda Function Code](./AWS/aws.persistence.lambda-overwrite-code.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create an IAM Roles Anywhere trust anchor](./AWS/aws.persistence.rolesanywhere-create-trust-anchor.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |

diff --git a/docs/index.yaml b/docs/index.yaml
@@ -14,6 +14,13 @@ AWS:
             - Credential Access
           platform: AWS
           isIdempotent: true
+        - id: aws.credential-access.secretsmanager-batch-retrieve-secrets
+          name: Retrieve a High Number of Secrets Manager secrets (Batch)
+          isSlow: false
+          mitreAttackTactics:
+            - Credential Access
+          platform: AWS
+          isIdempotent: true
         - id: aws.credential-access.secretsmanager-retrieve-secrets
           name: Retrieve a High Number of Secrets Manager secrets
           isSlow: false
@@ -207,6 +214,14 @@ AWS:
             - Persistence
           platform: AWS
           isIdempotent: false
+        - id: aws.persistence.lambda-layer-extension
+          name: Add a Malicious Lambda Extension
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+            - Privilege Escalation
+          platform: AWS
+          isIdempotent: true
         - id: aws.persistence.lambda-overwrite-code
           name: Overwrite Lambda Function Code
           isSlow: false
@@ -222,14 +237,6 @@ AWS:
             - Privilege Escalation
           platform: AWS
           isIdempotent: false
-        - id: aws.persistence.lambda-layer-extension
-          name: Add a Malicious Lambda Extension
-          isSlow: false
-          mitreAttackTactics:
-            - Persistence
-            - Privilege Escalation
-          platform: AWS
-          isIdempotent: true
     Privilege Escalation:
         - id: aws.execution.ec2-user-data
           name: Execute Commands on EC2 Instance via User Data
@@ -263,22 +270,22 @@ AWS:
             - Privilege Escalation
           platform: AWS
           isIdempotent: false
-        - id: aws.persistence.rolesanywhere-create-trust-anchor
-          name: Create an IAM Roles Anywhere trust anchor
+        - id: aws.persistence.lambda-layer-extension
+          name: Add a Malicious Lambda Extension
           isSlow: false
           mitreAttackTactics:
             - Persistence
             - Privilege Escalation
           platform: AWS
-          isIdempotent: false
-        - id: aws.persistence.lambda-layer-extension
-          name: Add a Malicious Lambda Extension
+          isIdempotent: true
+        - id: aws.persistence.rolesanywhere-create-trust-anchor
+          name: Create an IAM Roles Anywhere trust anchor
           isSlow: false
           mitreAttackTactics:
             - Persistence
             - Privilege Escalation
           platform: AWS
-          isIdempotent: true
+          isIdempotent: false
 GCP:
     Exfiltration:
         - id: gcp.exfiltration.share-compute-disk

diff --git a/v2/go.mod b/v2/go.mod
@@ -8,22 +8,22 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
-	github.com/aws/aws-sdk-go-v2 v1.21.0
-	github.com/aws/aws-sdk-go-v2/config v1.18.37
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.35
+	github.com/aws/aws-sdk-go-v2 v1.23.1
+	github.com/aws/aws-sdk-go-v2/config v1.25.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.4
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.81
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.19.1
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.1
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.137.1
 	github.com/aws/aws-sdk-go-v2/service/iam v1.18.20
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.24.7
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.16.13
 	github.com/aws/aws-sdk-go-v2/service/rds v1.26.1
 	github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.0.10
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.38.5
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.3
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.24.0
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.31.0
-	github.com/aws/aws-sdk-go-v2/service/sts v1.21.5
-	github.com/aws/smithy-go v1.14.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.25.4
+	github.com/aws/smithy-go v1.17.0
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/fatih/color v1.13.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -46,17 +46,17 @@ require (
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.20.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect