SIEM/SOAR/XDR evasion strategies in AWS penetration tests
Geovanni Flores
Multi-Cloud Security Engineer | Incident Handler | Cloud Pentester (Azure, AWS, GCP, Oracle, IBM)
The increasing migration of our workloads to the cloud in this post-pandemic period has now allowed us to expand the attack surface to all our resources and identities in multi-cloud environments, so the protection and governance of this new security perimeter is important.
Among the emerging threats is the growth of large-scale mining and Ransomware as a Service (RaaS) through the mass commitment of PaaS and IaaS resources.
Starting from this context, we will analyze what are the tactics and techniques that attackers use to achieve this purpose by evading our defense solutions.
EDR/XDR/Antivirus evasion techniques.
Let's consider a scenario where a productive Windows server on AWS has already been compromised and an external attacker has already gained initial access.
These are 3 techniques that advanced threats are using to evade protection technologies on our endpoints:
Obfuscation
Hide the malicious code of the malware by manipulating characters so that it goes unnoticed not only by a conventional antivirus, whether licensed or free, but also by advanced endpoint threat detection solutions such as EDR or XDR.
Encryption
Encrypting a malware payload using robust algorithms is another common technique that renders malware detection impossible by virtually all endpoint-level detection mechanisms.
Malicious library injection
Another common technique used by more experienced attackers is to download from the internet and inject a .DLL library to compile the vulnerable service while executing a file (.msi or .exe) and pass this service off as the operating system's own.
One strategy to avoid detection of suspicious behavior through AWS's own security solutions such as GuardDuty is to first compromise a resource that could be a server, an application, or the identity of a user associated with a role capable of disabling CloudTrail or VPC Flow Logs. If both services are disabled by an attacker, GuardDuty loses its ability to see and analyze suspicious behavior events, so the monitoring and incident response team won't be able to see anything and the attacker will have a free way.
A countermeasure in this situation is to establish an alert mechanism that notifies the monitoring team of any alteration or interruption in the sending of records to GuardDuty or any other SIEM/SOAR solution.
Another strategy for an attacker is to avoid known detection behaviors; For example, an attacker who masters both attack and defense techniques and is familiar with GuardDuty detection patterns or any other SIEM, will limit his activity to actions that do not activate these patterns. This could mean bypassing certain APIs, limiting the volume or frequency of your requests, or using AWS resources in ways that are not typical of malicious activity detected by GuardDuty while remaining unnoticed.
Detection of monetary resource consumption checks in AWS
But what if this threat plans to create a resource with extensive computing capabilities to mine cryptocurrencies?
Modern attackers can avoid raising resource consumption check alerts in AWS when AWS already has initial access to, for example, an EC2 virtual machine with an associated write role, they can disable the CloudWacth resource consumption check alert.
To do this, the attacker opens an AWS CLI terminal from the compromised virtual machine and does the following.
aws cloudwatch describe-alarms --state-value <ALARM or OK>
领英推荐
aws cloudwatch disable-alarm-actions --alarm-names AlarmName
aws cloudwatch delete-alarms --alarm-names AlarmName
Avoid detection of changes to the credentials of a compromised GuardDuty identity.
AWS, through its GuardDuty security solution, can identify and alert the monitoring and incident response team if a user's credentials have been compromised and they immediately change their own credentials, which raises the 'Stealth:IAMUser/PasswordPolicyChange' alert. An experienced attacker, to evade this alert, can take advantage of the "iam:ChangePassword" role of another previously compromised identity or if this role is assigned to an application that makes these changes on behalf of from the users themselves or automatically to make this password change and pass off this behavior as a normal activity without generating the alert in GuardDuty.
Additionally, you can opt for another path either from a compromised identity or abusing the role of the identity associated with a compromised virtual machine or an API, is by injecting a malicious IAM policy that assigns the role of changing passwords, an example of this would be:
Conclusion
An attacker can make use of multiple techniques to avoid being detected, so the team in charge of detecting, reporting and containing security threats needs to have a multidimensional perspective both in attack and in defense of all levels of a strategy based on Zero Trust and that is not married to the old perimeter security strategies at the network level, so that they are in charge of establishing the necessary sensors or countermeasures in case an expert with a similar or superior profile with bad intentions can succeed in the next incident that can materialize in your company.
Let's not forget that the new security perimeter is identity and it must be governed.
References
Nick FrichetteEpstein “Bypass GuardDuty Pentest Findings” [online].
Hacking The Cloud, 2023, available in: https://hackingthe.cloud/aws/avoiding-detection/guardduty-pentest/
?
Dexter Shankle “Common Antivirus Bypass Techniques” [online]. lmgsecurity, 2023, available in: https://www.lmgsecurity.com/common-antivirus-bypass-techniques/
?
[3] s0i37 “F#ck da Antivirus! How to bypass antiviruses during pentest” [online]. Hackmag, 2023 available in: https://hackmag.com/security/detection-bypassing/
?
AWS “GuardDuty IAM finding types” [online]. Amazon Web Services, 2023, available in: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux
?
AWS “Permitting IAM users to change their own passwords” [online]. Amazon Web Services, 2023, available in: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_enable-user-change.html
?
Nitesh Surana, Magno Logan “Abusing a GitHub Codespaces Feature For Malware Delivery” [online]. Trend Micro, 2023, available in: https://www.trendmicro.com/en_nl/research/23/a/abusing-github-codespaces-for-malware-delivery.html
?
MITRE Corporation “Defense Evasion” [online].
MITRE ATTACK ENTERPRISE, 2023, available In: https://attack.mitre.org/tactics/TA0005/