Skip to main content

Threat hunting in flaws.cloud dataset

ยท 4 min read
Jun Zhou

Hello, my name is Jun and I love all things data and devops. Recently, I discovered flaws.cloud dataset, a public CloudTrail dataset that contains logs of various API requests in a vulnerable AWS account.

I put Dassana to the test, seeing if I could easily garner meaningful insights.

To kick things off, I created a custom app named flaws through the Dassana App Store and then wrote a bash script to quickly send the dataset (~240 MB) over HTTPS. It took less than three minutes to load all the data. The nice thing about Dassana data lake is that I can explore the dataset using SQL without creating any table, defining fields etc.

Initial Discoveriesโ€‹

I started with some basic inspections:

How many events were ingested?

select count(*) from flaws

1

What kind of errors do we have?

select count(*) as count, errorCode from flaws
where errorCode != ''
group by errorCode
order by count desc limit 10

3

Server.InsufficientInstanceCapacity looks interesting. Even cloud service providers can run out of servers. Let's see what kind of instances were requested

select count(*), requestParameters.instanceType from flaws
where errorCode = 'Server.InsufficientInstanceCapacity'
group by requestParameters.instanceType
order by count_1 desc limit 5

4

Wow, someone attempted to launch i3.metal instance type! That is a beefy box.

Anyways, looking at the top error codes, we find that Client.RequestLimitExceeded and Client.UnauthorizedOperation, and AccessDenied are extremely common. Let's find the culprit.

What users are responsible for these excessive errors?

select userIdentity.arn as arn, count(*) as deniedActions, errorCode
from flaws where
group by userIdentity.arn, errorCode
order by deniedActions desc

5

What's user/Level6 doing? This user has the most errors.

select userIdentity.arn as arn, count(*) as deniedActions, errorCode
from flaws where
userIdentity.arn = 'arn:aws:iam::811596193553:user/Level6'
group by userIdentity.arn, errorCode
order by deniedActions desc

6

This user is executing a lot of APIs with the errors Client.RequestLimitExceeded, Client.UnauthorizedOperation, and Client.Unsupported.

Based on the initial results, I am willing to bet that this user is the cause of pain across this environment.

select userIdentity.arn as arn, count(*) as deniedActions, errorCode, eventName, eventSource
from flaws where
userIdentity.arn = 'arn:aws:iam::811596193553:user/Level6'
group by userIdentity.arn, errorCode, eventName, eventSource
order by deniedActions desc

7

This user is sure up to no good... the majority of failed operations are with RunInstances -- Level6 could be attempting to launch EC2 instances maliciously.

note

In Level4 of flaws.cloud challenge, the attacker can inspect the account using STS to find that its IAM user is user/backup and respective accountID. This can be used to find EC2 snapshots, of which there is a snapshot with public volumes. The attacker can also create a volume with the image and boot up an EC2 instance, mount the volume, and discover that there is a file with secret credentials.

Let's find out if there are AssumeRole events: 8

select * from flaws
and userIdentity.arn = 'arn:aws:iam::811596193553:user/Level6'
and eventName = 'AssumeRole'

Yes! and we find that SecurityAudit is the target role.

info

SecurityAudit is the default AWS role used by attackers for service discovery.

In fact, Level6 of the flaws.cloud challenge gives the user a SecurityAudit IAM role which eventually allows an adversary to discover an API Gateway target.

What other non-Read IAM actions has Level6 performed?

select userIdentity.arn, eventName, count(*) as total from flaws
where eventSource = 'iam.amazonaws.com'
and eventName not like 'Get%'
and eventName not like 'List%'
and eventName not like 'Generate%'
and userIdentity.arn = 'arn:aws:iam::811596193553:user/Level6'
group by userIdentity.arn, eventName
order by total desc
limit 10

9

That's quite a bit of SimulatePrincipalPolicy events and other IAM events. Let's add predicate of errorCode = '' to find successful events

What successful operations did Level6 perform?

select userIdentity.arn as arn, count(*) as allowedActions, eventName, eventSource
from flaws where
userIdentity.arn = 'arn:aws:iam::811596193553:user/Level6'
and errorCode = ''
and eventName not like '%Get%'
and eventName not like 'List%'
and eventName not like 'Generate%'
and eventName not like 'Desc%'
and eventName not like 'Lookup%'
and eventName not like 'Simulate%'
group by userIdentity.arn, eventName, eventSource
order by allowedActions desc

10

None! It is interesting that even though there are only read events, there is still evidence of privilege escalation.

Summaryโ€‹

To summarize, we explored that:

  • IAM user Level6 made suspicious calls with significant failures, notably on EC2
  • Level6 has suspicious STS AssumeRole on SecurityAudit
  • Level6 tried creating access keys but failed

Referencesโ€‹

flaws.cloud dataset - Kudos to Scott Piper for creating this dataset