gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 21:23:07 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix macie

Browse Source
This commit is contained in:
Carlos Polop
2025-02-13 11:00:27 +01:00
parent abbd0a816b
commit 615a959bb6
4 changed files with 135 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md
View File

@@ -1,4 +1,16 @@
# Amazon Macie - Bypass `Reveal Sample` Integrity Check
# AWS - Macie Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Macie
For more information about Macie check:
{{#ref}}
../aws-services/aws-macie-enum.md
{{#endref}}
### Amazon Macie - Bypass `Reveal Sample` Integrity Check
AWS Macie is a security service that automatically detects sensitive data within AWS environments, such as credentials, personally identifiable information (PII), and other confidential data. When Macie identifies a sensitive credential, such as an AWS secret key stored in an S3 bucket, it generates a finding that allows the owner to view a "sample" of the detected data. Typically, once the sensitive file is removed from the S3 bucket, it is expected that the secret can no longer be retrieved.
@@ -6,7 +18,7 @@ However, a **bypass** has been identified where an attacker with sufficient perm
<img src="https://github.com/user-attachments/assets/c44228ae-12cd-41bd-9a04-57f503a63281" height="800" width="auto"/>
## Steps To Reproduce:
**Steps To Reproduce:**
1. Upload a file (e.g., `test-secret.txt`) to an S3 bucket with sensitive data, such as an AWS secret key. Wait for AWS Macie to scan and generate a finding.
@@ -20,6 +32,6 @@ However, a **bypass** has been identified where an attacker with sufficient perm
6. Observe that Macie still reveals the original secret, despite the file being deleted and replaced with different content **from different accounts, in our case it will be the attacker's account**.
## Summary:
**Summary:**
This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions.

142
src/pentesting-cloud/aws-security/aws-services/aws-macie-enum.md
View File

@@ -1,8 +1,70 @@
# Amazon Macie
## Introduction
{{#include ../../../banners/hacktricks-training.md}}
Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
## Macie
Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
Key Features of Amazon Macie:
1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
### Alert System
Macie categorizes alerts into predefined categories like:
- Anonymized access
- Data compliance
- Credential Loss
- Privilege escalation
- Ransomware
- Suspicious access, etc.
These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
### Dashboard Features
The dashboard categorizes data into various sections, including:
- S3 Objects (by time range, ACL, PII)
- High-risk CloudTrail events/users
- Activity Locations
- CloudTrail user identity types, and more.
### User Categorization
Users are classified into tiers based on the risk level of their API calls:
- **Platinum**: High-risk API calls, often with admin privileges.
- **Gold**: Infrastructure-related API calls.
- **Silver**: Medium-risk API calls.
- **Bronze**: Low-risk API calls.
### Identity Types
Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
### Data Classification
Data classification encompasses:
- Content-Type: Based on detected content type.
- File Extension: Based on file extension.
- Theme: Categorized by keywords within files.
- Regex: Categorized based on specific regex patterns.
The highest risk among these categories determines the file's final risk level.
### Research and Analysis
Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
## Listing Findings with AWS Console
@@ -19,31 +81,63 @@ Amazon Macie provides a feature that displays detected secrets in clear-text for
<img width="1154" alt="Screenshot 2025-02-10 at 19 15 11" src="https://github.com/user-attachments/assets/df616e56-a11a-41da-ac69-0bea37d143a5" />
## Enumeration
### Enumeration
```bash
# List and describe classification jobs
aws macie2 list-classification-jobs --region eu-west-1
aws macie2 describe-classification-job --job-id <Job_ID> --region eu-west-1
# Get buckets
aws macie2 describe-buckets
# Org config
aws macie2 describe-organization-configuration
# Get admin account (if any)
aws macie2 get-administrator-account
aws macie2 list-organization-admin-accounts # Run from the management account of the org
# Get macie account members (run this from the admin account)
aws macie2 list-members
# Check if automated sensitive data discovey is enabled
aws macie2 get-automated-discovery-configuration
# Get findings
aws macie2 list-findings
aws macie2 get-findings --finding-ids <ids>
aws macie2 list-findings-filters
aws macie2 get -findings-filters --id <id>
# Get allow lists
aws macie2 list-allow-lists
aws macie2 get-allow-list --id <id>
# Get different info
aws macie2 list-classification-jobs
aws macie2 describe-classification-job --job-id <Job_ID>
aws macie2 list-classification-scopes
aws macie2 list-custom-data-identifiers
aws macie2 get-custom-data-identifier --id <Identifier_ID>
# Retrieve account details and statistics
aws macie2 get-macie-session --region eu-west-1
aws macie2 get-usage-statistics --region eu-west-1
# List and manage Macie members (for organizations)
aws macie2 list-members --region eu-west-1
# List findings and get detailed information about specific findings
aws macie2 list-findings --region eu-west-1
aws macie2 get-findings --finding-id <Finding_ID> --region eu-west-1
# Manage custom data identifiers
aws macie2 list-custom-data-identifiers --region eu-west-1
aws macie2 get-custom-data-identifier --id <Identifier_ID> --region eu-west-1
# List and detail findings filters
aws macie2 list-findings-filters --region eu-west-1
aws macie2 get-findings-filter --id <Filter_ID> --region eu-west-1
aws macie2 get-macie-session
aws macie2 get-usage-statistic
```
### Privesc
{{#ref}}
../aws-privilege-escalation/aws-macie-privesc.md
{{#endref}}
### Post Exploitation
> [!TIP]
> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
TODO: PRs are welcome!
## References
- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
{{#include ../../../../banners/hacktricks-training.md}}

122
src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md
View File

@@ -1,122 +0,0 @@
# AWS - Macie Enum
## AWS - Macie Enum
{{#include ../../../../banners/hacktricks-training.md}}
## Macie
Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
Key Features of Amazon Macie:
1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
### Alert System
Macie categorizes alerts into predefined categories like:
- Anonymized access
- Data compliance
- Credential Loss
- Privilege escalation
- Ransomware
- Suspicious access, etc.
These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
### Dashboard Features
The dashboard categorizes data into various sections, including:
- S3 Objects (by time range, ACL, PII)
- High-risk CloudTrail events/users
- Activity Locations
- CloudTrail user identity types, and more.
### User Categorization
Users are classified into tiers based on the risk level of their API calls:
- **Platinum**: High-risk API calls, often with admin privileges.
- **Gold**: Infrastructure-related API calls.
- **Silver**: Medium-risk API calls.
- **Bronze**: Low-risk API calls.
### Identity Types
Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
### Data Classification
Data classification encompasses:
- Content-Type: Based on detected content type.
- File Extension: Based on file extension.
- Theme: Categorized by keywords within files.
- Regex: Categorized based on specific regex patterns.
The highest risk among these categories determines the file's final risk level.
### Research and Analysis
Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
### Enumeration
```
# Get buckets
aws macie2 describe-buckets
# Org config
aws macie2 describe-organization-configuration
# Get admin account (if any)
aws macie2 get-administrator-account
aws macie2 list-organization-admin-accounts # Run from the management account of the org
# Get macie account members (run this form the admin account)
aws macie2 list-members
# Check if automated sensitive data discovey is enabled
aws macie2 get-automated-discovery-configuration
# Get findings
aws macie2 list-findings
aws macie2 get-findings --finding-ids <ids>
aws macie2 list-findings-filters
aws macie2 get -findings-filters --id <id>
# Get allow lists
aws macie2 list-allow-lists
aws macie2 get-allow-list --id <id>
# Get different info
aws macie2 list-classification-jobs
aws macie2 list-classification-scopes
aws macie2 list-custom-data-identifiers
```
#### Post Exploitation
> [!TIP]
> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
TODO: PRs are welcome!
## References
- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
{{#include ../../../../banners/hacktricks-training.md}}