Data theft techniques

Question

Data theft techniques

Closed this issue 8 months ago · 8 comments

z0ph commented 8 months ago

Answer 1 · 2024-02-10T05:02:55.000Z

Should be straightforward. I'll grab this one

Answer 2 · 2024-02-11T12:23:10.000Z

Great Thanks Christophe!

Answer 3 · 2024-02-13T19:56:35.000Z

Famous last words: "should be straightforward"

Event though AWS documentation (https://docs.aws.amazon.com/cloudshell/latest/userguide/logging-and-monitoring.html) makes it seem like all CloudShell events they list out will be pushed to EventBridge as events, this doesn't appear to be the case. It does push through events like CreateSession, PutCredentials, etc... but it doesn't appear to push GetFileDownloadUrls which is the one we need. This is the EventPattern I used (straight from their docs):

{ "source": [ "aws.cloudshell" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudshell.amazonaws.com" ] } }

Sending those events to a CloudWatch Logs Group, I am able to see some of the events but again not the one we needed here. I'm going to keep playing around with it and probably contact AWS support to see if this is a bug or something I'm missing. In the meantime, I had to set this up as a CloudWatch Metric & Alarm, which does work. I would have preferred EventBridge and will update once this gets figured out, but in the meantime this will work. Doing a final round of testing and then I'll create the PR

Answer 4 · 2024-02-13T20:09:08.000Z

@christophelimpalair, Could it be a data event from CloudTrail instead of management events? And your currently configured trail does not record this type of events ?

Answer 5 · 2024-02-13T20:18:30.000Z

That's what I was thinking originally, but no I don't think so:

The event is visible in CloudTrail's Event History and is labeled as a Management Event

For reference:

{
    "eventVersion": "1.08",
    "userIdentity": {
        ...
        }
    },
    "eventTime": "2024-02-13T04:37:21Z",
    "eventSource": "cloudshell.amazonaws.com",
    "eventName": "GetFileDownloadUrls",
    "awsRegion": "us-east-1",
    "requestParameters": {
        "FileDownloadPath": "/home/cloudshell-user/test.txt",
        "EnvironmentId": "xxx"
    },
    "responseElements": null,
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxx",
    "eventCategory": "Management"
}

The event gets pushed to CloudWatch logs and I'm able to find it with CloudWatch Insights, so it's definitely getting picked up by CloudTrail and being pushed to CloudWatch. The only time I can't get the event to push through is when I involve EventBridge

Answer 6 · 2024-02-14T03:22:30.000Z

Hold off on this I just figured it out. EventBridge recently got an update that requires using a State: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS in order to receive read-only management events from CloudTrail in EventBridge. That's why it wasn't receiving it. More info here: https://aws.amazon.com/blogs/compute/introducing-support-for-read-only-management-events-in-amazon-eventbridge/

Answer 7 · 2024-02-14T03:43:16.000Z

^^^ here we go, this is what we want. This was an interesting learning experience for sure :)

Answer 8 · 2024-02-14T07:04:08.000Z

Great! Thanks!