Hello Reader,
It's time for to be side tracked. I've been exploring pancake viewer in the past few daily blog, and I do plan to get back to that, but for now I read about something that AWS has published back in December of 2019 (aka the before times) which you can read here:
https://aws.amazon.com/blogs/aws/new-programmatic-access-to-ebs-snapshot-content/
I don't remember what crossed my feed to direct me there but once I read it I knew at once this was something I needed to test. Let me explain.
1. This API is similar to one Microsoft has in Azure that allows you to access individual 512k blocks that make up a VHD stores as a blog in Azure.
2. This API allows you, in the language of your choice, to read individual 512k blocks (think sectors) out of a snapshot
3. That means you can triage a AWS snapshot like it was a physical disk, skipping through sectors rather than transferring/imaging the whole thing
This is amazing and where the entire field of Cloud IR needs to go to be fast and silent You can create a snapshot without an agent, write blocker or letting the attacker know you're there. Even better with a quick Lambda you can do this automatically and then kick off a triage process to do it for you and then email you when its done.
This is actual API call you make:
It's time for to be side tracked. I've been exploring pancake viewer in the past few daily blog, and I do plan to get back to that, but for now I read about something that AWS has published back in December of 2019 (aka the before times) which you can read here:
https://aws.amazon.com/blogs/aws/new-programmatic-access-to-ebs-snapshot-content/
I don't remember what crossed my feed to direct me there but once I read it I knew at once this was something I needed to test. Let me explain.
1. This API is similar to one Microsoft has in Azure that allows you to access individual 512k blocks that make up a VHD stores as a blog in Azure.
2. This API allows you, in the language of your choice, to read individual 512k blocks (think sectors) out of a snapshot
3. That means you can triage a AWS snapshot like it was a physical disk, skipping through sectors rather than transferring/imaging the whole thing
This is amazing and where the entire field of Cloud IR needs to go to be fast and silent You can create a snapshot without an agent, write blocker or letting the attacker know you're there. Even better with a quick Lambda you can do this automatically and then kick off a triage process to do it for you and then email you when its done.
This is actual API call you make:
https://docs.aws.amazon.com/ebs/latest/APIReference/API_GetSnapshotBlock.html
I decided to test this out by spinning up a new free tier Amazon Linux AMI, giving it a Admin IAM role to access my EBS stores and then from the CLI I created the snapshot. From within python I then pulled and printed the first EBS Block.
Also in the video I thought I couldn't do this through the CLI, turns out I was just calling the wrong stub. You can absolutely do it through the CLI with the following command:
aws ebs get-snapshot-blocks --snapshot-id=
To me this is amazing and I plan to expand on this example in the coming week.
Watch below for a Test Kitchen of me grabbing the first block/sector out of the snapshot getting the EFI header of my Amazon Linux AMI disk.
Also Read: Working AWS EBS Blocks
Post a Comment