Hello Reader,
It's Sunday! This week's challenge is all about whats left behind when someone is able to get a temporary access key from an IAM role in AWS. Let's see who is able to build out the best detection set!
$100 Amazon Giftcard
The Rules:
- You must post your answer before Friday 2/21/25 7PM CST (GMT -5)
- The most complete answer wins
- You are allowed to edit your answer after posting
- If two answers are too similar for one to win, the one with the earlier posting time wins
- Be specific and be thoughtful
- Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
- In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
- AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize.
AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred.
1. Retrieve a temporary AWS access key credential from IMDS v1
2. Retrieve a temporary AWS access key credential from IMDS v2
3. Use the temporary access key within an AWS vm
4. Use the temporary access key from outside of AWS
From all four scenarios determine what logs are created.
bonus: Try and document other scenarios of theft and use and additional sources of evidence.
Post a Comment