Attack Goals
An attack goal within CodeShield is defined by the AWS IAM action an attacker will get after performing one of the pre-defined escalation methods within the account.
CodeShield currently defines a total of 22 attack goals. All attack goals are classified and labeled to techniques and tactics from the official MITRE ATT&CK Cloud Matrix.
In the below table you find an overview of all pre-defined attack goals and the mapping to the IAM actions within CodeShield.
| Goal ID | Title | Description | Mitre Attack Tactics |
|---|---|---|---|
| ADMIN_ACCESS | Gain Administrator Access on AWS Account | An attacker was able to gain access to the 'AdministratorAccess' policy (or equivalent), effectively compromising the whole account! |
|
| BLOCK_USER_ACCESS | Block legitimate account access | An attacker can use the gained privileges to block legitimate user's access to your cloud environment. |
|
| DATA_STORAGE_READ | Gain read access on data storages | An attacker can use the gained privileges to exfiltrate data from one of the data storages in your environment. For S3 data exfiltration, the attacker needs to invoke: aws s3api get-object --bucket <BUCKET_NAME> --key <SOURCE_FILE_PATH> <TARGET_FILE> |
|
| DATA_STORAGE_WRITE | Gain write access on data storages | An attacker can use the gained privileges to modify data of your data storages in your cloud environment. |
|
| DISABLE_CLOUDTRAIL | Disable Logs to CloudTrail | An attacker can use the gained privileges to disable cloud trail logs that monitor activities from the AWS cli, console or API within your AWS account. This further allows an attacker to navigate in your account without leaving traces. |
|
| DISABLE_CLOUDWATCH | Disable Logs to CloudWatch | An attacker can use the gained privileges to disable CloudWatch logs of your cloud application. This further allows the attacker to attack the underlying cloud application without leaving traces. |
|
| ESCALATION_NO_IMPACT | Critical actions without impact/newly-gained-privileges found | Actions necessary for a privilege escalation found but no new permissions could be acquired by the attacker. The attacker would be able to escalate privileges, if the cloud setup would allow it. E.g., passRole is possible but no role to pass exists. This will turn into a security vulnerability as soon as the cloud setup changes accordingly! |
|
| ESCALATION_WITHOUT_TARGET | Privilege escalation without detected target of escalation action | A possibility for privilege escalation was found for which we could not compute any target resources. This should not be ignored as it might be possible to escalate at a later point when a fitting resource has been created in the account. E.g., we found that the attacker got access to iam:passRole but no role was found that was passable by the user. It's highly recommended to still fix this issue as creating a too open role later might render this scenario exploitable! |
|
| GAIN_CREDENTIALS_ACCESS | Gain Access to Credentials | An attacker can use the gained privileges to steal sensitive credentials from your cloud account. The credentials can then further be used to access other services, such as databases, AWS user accounts or cloud application accounts (Cognito). |
|
| GAIN_IAM_PRIVILEGES | Gain additional IAM Permissions / IAM Privilege Escalation | An attacker can use the gained privileges to further attach roles to resource or identities and gain access to even more cloud resources. |
|
| GAIN_USER_ACCESS | Gain access over an AWS user's account | An attacker can use the gained privileges to obtain access over an AWS user's account and further use the newly gained account to modify the infrastructure or exfiltrate data. |
|
| KMS_DECRYPT | Decrypt data using AWS KMS | An attacker can use the gained privileges to decrypt sensitive data within your account. Using KMS, the attacker can decrypt any data that has been stored encrypted with the same keys. |
|
| KMS_ENCRYPT | Encrypt data using AWS KMS | An attacker can use the gained privileges to encrypt data within the account. If the attacker can access an arbitrary KMS within a different AWS account and some data storage, this allows a ransomware attack to encrypt all data. https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ |
|
| MODIFY_EC2_NETWORK | Modify Infrastructure (Security Groups, Networks & VPCs) | An attacker can use the gained privileges to modify the EC2 instance hosts, volume or VPC endpoint. |
|
| MODIFY_EC2_SECURITY | Modify Infrastructure (Security Groups, Networks & VPCs) | An attacker can use the gained privileges to open a new port (for instance ssh 22) of an EC2 instance. |
|
| SPAWN_COSTLY_SERVICE | Spawn cost-intensive AWS services | An attacker can use the gained privileges to spawn cost-intensive services and increase your cloud bill. Ensure to enable billing alarms on AWS. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html |
|
| TAKEOVER_AMPLIFY | Takeover of Amplify | An attacker can use the gained privileges to update your amplify application to any arbitrary new logic. |
|
| TAKEOVER_CLOUDFRONT | Takeover of CloudFront Distributions | An attacker can use the gained privileges to replace the distribution bucket of your CloudFront distribution. The attacker can attach his/her own bucket and an arbitrary website can be served. |
|
| TAKEOVER_CODECOMMIT | Takeover of CodeCommit Environment | An attacker can use the gained privileges to steal your applications source code or any other sensitive data within the git repositories. |
|
| TAKEOVER_COGNITO | Takeover of Cognito User Pools | An attacker can use the gained privileges to gain access to a user's account on your cloud application served by Cognito. |
|
| TAKEOVER_EC2 | Takeover of EC2 Instances | An attacker can use the gained privileges to gain root access on EC2 instance. https://hackingthe.cloud/aws/exploitation/local-priv-esc-mod-instance-att/ |
|
| TAKEOVER_LAMBDA | Takeover over Lambda | An attacker can use the gained privileges to allow internal lambda function to be publicly reachable via a Lambda Function URL. |
|
| UNCLASSIFIED_IMPACT | Privilege escalation allowed the attacker to gain new unclassified permissions | The attacker was able to gain new permissions and potentially access new resources. The gained permissions are not classified by a more concrete attack goal. |
|