diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 1056403e4..6c82a2831 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -292,6 +292,7 @@ - [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md) - [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) - [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md) + - [AWS - Macie Enum](pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md) - [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md) - [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md) - [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md) @@ -320,7 +321,6 @@ - [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md) - [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) - [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md) - - [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md) - [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md) - [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md) - [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) @@ -354,6 +354,7 @@ - [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md) - [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md) - [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md) + - [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-macie-enum.md) - [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md) - [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md) - [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md index 462685084..73ffb71ea 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md @@ -1,4 +1,16 @@ -# Amazon Macie - Bypass `Reveal Sample` Integrity Check +# AWS - Macie Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Macie + +For more information about Macie check: + +{{#ref}} +../aws-services/aws-macie-enum.md +{{#endref}} + +### Amazon Macie - Bypass `Reveal Sample` Integrity Check AWS Macie is a security service that automatically detects sensitive data within AWS environments, such as credentials, personally identifiable information (PII), and other confidential data. When Macie identifies a sensitive credential, such as an AWS secret key stored in an S3 bucket, it generates a finding that allows the owner to view a "sample" of the detected data. Typically, once the sensitive file is removed from the S3 bucket, it is expected that the secret can no longer be retrieved. @@ -6,7 +18,7 @@ However, a **bypass** has been identified where an attacker with sufficient perm -## Steps To Reproduce: +**Steps To Reproduce:** 1. Upload a file (e.g., `test-secret.txt`) to an S3 bucket with sensitive data, such as an AWS secret key. Wait for AWS Macie to scan and generate a finding. @@ -20,6 +32,6 @@ However, a **bypass** has been identified where an attacker with sufficient perm 6. Observe that Macie still reveals the original secret, despite the file being deleted and replaced with different content **from different accounts, in our case it will be the attacker's account**. -## Summary: +**Summary:** This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions. diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-macie-enum.md index 899ca1b9f..83f86de45 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-macie-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-macie-enum.md @@ -1,8 +1,70 @@ # Amazon Macie -## Introduction +{{#include ../../../banners/hacktricks-training.md}} -Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. +## Macie + +Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns. + +Key Features of Amazon Macie: + +1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account. +2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks. +3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time. +4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings. +5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks. + +Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality. + +### Alert System + +Macie categorizes alerts into predefined categories like: + +- Anonymized access +- Data compliance +- Credential Loss +- Privilege escalation +- Ransomware +- Suspicious access, etc. + +These alerts provide detailed descriptions and result breakdowns for effective response and resolution. + +### Dashboard Features + +The dashboard categorizes data into various sections, including: + +- S3 Objects (by time range, ACL, PII) +- High-risk CloudTrail events/users +- Activity Locations +- CloudTrail user identity types, and more. + +### User Categorization + +Users are classified into tiers based on the risk level of their API calls: + +- **Platinum**: High-risk API calls, often with admin privileges. +- **Gold**: Infrastructure-related API calls. +- **Silver**: Medium-risk API calls. +- **Bronze**: Low-risk API calls. + +### Identity Types + +Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests. + +### Data Classification + +Data classification encompasses: + +- Content-Type: Based on detected content type. +- File Extension: Based on file extension. +- Theme: Categorized by keywords within files. +- Regex: Categorized based on specific regex patterns. + +The highest risk among these categories determines the file's final risk level. + +### Research and Analysis + +Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring. ## Listing Findings with AWS Console @@ -19,31 +81,63 @@ Amazon Macie provides a feature that displays detected secrets in clear-text for Screenshot 2025-02-10 at 19 15 11 -## Enumeration +### Enumeration ```bash -# List and describe classification jobs -aws macie2 list-classification-jobs --region eu-west-1 -aws macie2 describe-classification-job --job-id --region eu-west-1 +# Get buckets +aws macie2 describe-buckets + +# Org config +aws macie2 describe-organization-configuration + +# Get admin account (if any) +aws macie2 get-administrator-account +aws macie2 list-organization-admin-accounts # Run from the management account of the org + +# Get macie account members (run this from the admin account) +aws macie2 list-members + +# Check if automated sensitive data discovey is enabled +aws macie2 get-automated-discovery-configuration + +# Get findings +aws macie2 list-findings +aws macie2 get-findings --finding-ids +aws macie2 list-findings-filters +aws macie2 get -findings-filters --id + +# Get allow lists +aws macie2 list-allow-lists +aws macie2 get-allow-list --id + +# Get different info +aws macie2 list-classification-jobs +aws macie2 describe-classification-job --job-id +aws macie2 list-classification-scopes +aws macie2 list-custom-data-identifiers +aws macie2 get-custom-data-identifier --id # Retrieve account details and statistics -aws macie2 get-macie-session --region eu-west-1 -aws macie2 get-usage-statistics --region eu-west-1 - -# List and manage Macie members (for organizations) -aws macie2 list-members --region eu-west-1 - -# List findings and get detailed information about specific findings -aws macie2 list-findings --region eu-west-1 -aws macie2 get-findings --finding-id --region eu-west-1 - -# Manage custom data identifiers -aws macie2 list-custom-data-identifiers --region eu-west-1 -aws macie2 get-custom-data-identifier --id --region eu-west-1 - -# List and detail findings filters -aws macie2 list-findings-filters --region eu-west-1 -aws macie2 get-findings-filter --id --region eu-west-1 - +aws macie2 get-macie-session +aws macie2 get-usage-statistic ``` +### Privesc + +{{#ref}} +../aws-privilege-escalation/aws-macie-privesc.md +{{#endref}} + +### Post Exploitation + +> [!TIP] +> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\ +> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier. + +TODO: PRs are welcome! + +## References + +- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md deleted file mode 100644 index e6e3a2281..000000000 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md +++ /dev/null @@ -1,122 +0,0 @@ -# AWS - Macie Enum - -## AWS - Macie Enum - -{{#include ../../../../banners/hacktricks-training.md}} - -## Macie - -Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns. - -Key Features of Amazon Macie: - -1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account. -2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks. -3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time. -4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings. -5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks. - -Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality. - -### Alert System - -Macie categorizes alerts into predefined categories like: - -- Anonymized access -- Data compliance -- Credential Loss -- Privilege escalation -- Ransomware -- Suspicious access, etc. - -These alerts provide detailed descriptions and result breakdowns for effective response and resolution. - -### Dashboard Features - -The dashboard categorizes data into various sections, including: - -- S3 Objects (by time range, ACL, PII) -- High-risk CloudTrail events/users -- Activity Locations -- CloudTrail user identity types, and more. - -### User Categorization - -Users are classified into tiers based on the risk level of their API calls: - -- **Platinum**: High-risk API calls, often with admin privileges. -- **Gold**: Infrastructure-related API calls. -- **Silver**: Medium-risk API calls. -- **Bronze**: Low-risk API calls. - -### Identity Types - -Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests. - -### Data Classification - -Data classification encompasses: - -- Content-Type: Based on detected content type. -- File Extension: Based on file extension. -- Theme: Categorized by keywords within files. -- Regex: Categorized based on specific regex patterns. - -The highest risk among these categories determines the file's final risk level. - -### Research and Analysis - -Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring. - -### Enumeration - -``` -# Get buckets -aws macie2 describe-buckets - -# Org config -aws macie2 describe-organization-configuration - -# Get admin account (if any) -aws macie2 get-administrator-account -aws macie2 list-organization-admin-accounts # Run from the management account of the org - -# Get macie account members (run this form the admin account) -aws macie2 list-members - -# Check if automated sensitive data discovey is enabled -aws macie2 get-automated-discovery-configuration - -# Get findings -aws macie2 list-findings -aws macie2 get-findings --finding-ids -aws macie2 list-findings-filters -aws macie2 get -findings-filters --id - -# Get allow lists -aws macie2 list-allow-lists -aws macie2 get-allow-list --id - -# Get different info -aws macie2 list-classification-jobs -aws macie2 list-classification-scopes -aws macie2 list-custom-data-identifiers -``` - -#### Post Exploitation - -> [!TIP] -> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\ -> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier. - -TODO: PRs are welcome! - -## References - -- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) - -{{#include ../../../../banners/hacktricks-training.md}} - - - -